Diggs

I'm planning on having the event functions always return true, so it should just keep on putting it into the form. The Middler also comes with a built in SSL stripper, so I'll test that and see if it works with the changes I've made. If that doesn't work, then I'll see about calling sslstrip and using that in the mix. I'll work on cleaning this code up a bit too to see if I can get it more extensible. Right now, it's just a series of hacks, so it's pretty much just spaghetti. It seems to be shaping up right now, so hopefully I won't find anything too deadly and can have something to show for it soon.

Also, this was originally asynchronous for every Password and Text type input. I'm going to generalize it and see if anything stops working.

Okay, I've changed the code so it uses the document.onkeydown event to grab the keystrokes. This will make it universally record keystrokes. I'll also start working on adding a document.onclick event and see if I can get it to submit every elementname and value to record. Any other suggestions on what should be done?

It actually uses Javascript to hook into the keyboard presses. Originally, it would create a link which had the keypress character passed back to the inguardians webpage. It sends this data with every keypress, not when the form is submitted, so it will send a character with every keypress. It also only puts the keypress javascript event only on password type inputs, so it would miss the username. I have changed it to use fetch from an image because the link didn't seem to work properly for me. I also changed it to insert the javascript on every input type element. This way, I might get a bunch of junk data, but at least I'm getting all the data that's not check/radio buttons. If I changed the code to send the string on whitespace, then it would increase the time between submits and so prevent two letters from being received in an order different than they were typed.

I know I have successfully gotten a shell by setting up Port forwarding to a server, setting up the IP address as the home IP. There are a couple of important points about this: 1. If you have Dynamic IP, make sure the exploit fires before the IP changes. 2. Set up the LPORT to the forwarded port. 3. Testing will be in two stages: One where you test the payload locally and use the local Server IP. Another where you check your routing from another Access Point. You can't ship a payload from inside the network to the public IP. It will always fail. If you have a webserver on Public IP 184.1.1.1 and local IP 192.168.0.2 and you are on that network, http://184.1.1.1 will fail to connect. You will need to connect to 192.168.0.2. Which means that any payloads calling home to 184.1.1.1 will fail on the local net. Go to a coffee shop and test bomb your laptop to make sure you are getting the connections or run if off a tethered cell phone. Hope this helps. Number 3 gave me hell when I was first figuring things out. I thought that my payload was failing when it was just failing to reach the server. Diggs

I think you could probably just open up Windows Explorer on his box and delete the C drive. I would make sure to do it from next to the Police station, cause otherwise it'll be a long ride and those handcuffs hurt.

Quick update. I've been working on the Javascript plugin and have basically started rewriting most of it. I needed to add a Python HttpHandler to receive messages from the injected Javascript. I also changed the Javascript to call an image and insert two parameters, an ID and the caught character. I had a couple of questions to see if anyone had ideas: First: any ideas on avoiding collisions between the Javascript messages? I'm thinking of a situation where one message is delayed and arrives after a proceding message. This would throw off the character order. I have two ideas on how to handle this. The easiest would be to change the Javascript to send off entire strings when it gets a whitespace character. This would put spacing between messages and also keep order in connected characters. The problem with this would be if the user hit submit with the button instead of hitting enter or tab. There might be a workaround to this. Would there be any benefit to seeing the characters come across in real time as opposed to chunks? My second idea was to have a timestamp passed as a third parameter and then sort the array based on the timestamp for output. That would keep the realtime aspect in tact, but would take some more coding on parsing the file. Second: Because I'm passing back the parameters to the Python HttpHandler as an image, it passes them back as a GET request. I thought this might be an issue with using this module legitimately as it publicly declares everything the user is typing. Any ideas on how to pass the params back in a POST request? I think that is all for now, I should have a skeleton function up once I verify that my changes are working in the current framework. I'll post up a tar of the entire thing so others can look.

I was snooping around the googlecode page for the middler and noticed that the plugins available for the different versions changes. The latest version includes SIP middling, which I'll look at once I have at least a little understanding of SIP. In the meantime, the first version of the middler can be checked out here: svn checkout http://middler.googlecode.com/svn/tags/0.95r1 It has three modules which are labeled INGUARDIANSONLY. This seems mildly interesting. It also contains the only version of the JS keylogger I've found so far. The later version, 1.0r1 has both the BEEF and Metasploit autopwn injections. I'm going to start diffing all of the versions to see what's been changed as it looks like some plugins might have been removed and left public accidentally. As far as the JS Keylogger, it looks like it injects the javascript into the body in the first child. It seems like they had already done what was proposed to avoid the XSS filtering and just returns each keypress. I cannot yet vouch for how well it works, but I've at least got some demo code now which I can start to build on. If I manage to get this up and running properly, I'll report back.

Hmm, I'll have to take a look at how to insert the Javascript into the page instead of it's own frame. It might already be setup to do that, but I'll see what's going on with it. I'll also see how the plugins put in the Metasploit modules and see if we can get an easy way to stick that in a stream. Any other ideas?

Yep, that's the episode. Basically the Middler is a python script that intercepts incoming webpages and adds a frame to them. In the episode, they were trying to use a Javascript module that hooked to keyboard input and shipped it off in realtime. There were also supposed to be plugins for Metasploit payloads and a couple other interesting things. This seems like an interesting project and might not be that bad to implement. Frame injection would be pretty useful for MitM events. I will probably be working on getting either this code or something similar working, but anyone having either input on the current codebase or suggestions should let me know.

I know that Darren was working on this project a couple years ago and I was looking at maybe trying to resurrect this code. Has anyone else started working through the code and seeing if there is anything that can get worked on to get some of the more interesting plugins working. Darren, if you have any advice on how to get these plugins working or updates on what you had found, it would be greatly appreciated. I was interested in getting a hidden frame with arbitrary Metasploit modules and wanted to see if anyone else might be interested in working on this project with me.