Jump to content
Hak5 Forums
Sign in to follow this  
anao00

Injection of malicious code in a webpage

Recommended Posts

Let's say I've managed to change my target's DNS

How could I inject a payload (from a RAT) directly into the webpage of my victim?

I don't want them to get redirected to a fake website, I just want to inject them with malicious code.

Share this post


Link to post
Share on other sites

Nice, the forum doesn't allow the OP to edit his own thread.

What I wanted to do was to have the user type in a website domain and get the contents of that website altered so I could add some code to it, and I wanted to do that only by changing his DNS servers.

I don't know how practical that is, I just wanted to know if its possible, and how.

Share this post


Link to post
Share on other sites

I made this a few weeks ago.

https://github.com/bg-wa/rails_in_the_middle

Set up the app and point your DNS to it, point the app to the site you want to modify, and inject whatever code you want before it's sent to the user (also works the other direction, sending data to the original server).

*Also not sure how practical this is, but its possible.

Share this post


Link to post
Share on other sites

There might already be some man-in-the-middle tools that provide this types of technique.

 

To do this yourself will take research, it's not that hard to accomplish but also not that simple to explain.

 

The quickest suggestion I have is with a ettercap filter. 

 

What I have done in the past with a ettercap filter, replace a html lstring like

</TITTLE> with your payload

</TITTLE><iframe SRC=rat.exe>

 

do research on ettercap. Learn what works and does not work.

Share this post


Link to post
Share on other sites
5 hours ago, bg-wa said:

I made this a few weeks ago.

https://github.com/bg-wa/rails_in_the_middle

Set up the app and point your DNS to it, point the app to the site you want to modify, and inject whatever code you want before it's sent to the user (also works the other direction, sending data to the original server).

*Also not sure how practical this is, but its possible.

Do I need to be locally present, close to the target?

If I set up rails in the middle on a webserver that is also running a DNS server and them make, somehow, the user use that DNS instead of the ISP's, could I temper a request from www.amazon.com and add something to the index.html page?

How could I possibly protect myself from that besides regularly checking my DNS to see if its the correct one?

I want to test that thing. I spent almost 2 days thinking about this and trying to figure out ways to make it work, and then how to make it not work on my machines. Haha.

Share this post


Link to post
Share on other sites
1 hour ago, anao00 said:

Do I need to be locally present, close to the target?

If I set up rails in the middle on a webserver that is also running a DNS server and them make, somehow, the user use that DNS instead of the ISP's, could I temper a request from www.amazon.com and add something to the index.html page?

How could I possibly protect myself from that besides regularly checking my DNS to see if its the correct one?

I want to test that thing. I spent almost 2 days thinking about this and trying to figure out ways to make it work, and then how to make it not work on my machines. Haha.

For what you want to do. man in the middle vs amazon may be impossible for publicly available tools... you should learn this stuff. fallow a ettercap filter tutorial... follow sslstrip tutorials...

 

It might work if by chance the web surfer visits a out of date web server or if the advertisement on the screen uses http protocol or not encrypted traffic...

 

I have a video of doing exactly what your asking for. I made a mitm ruby proxy that would replace any executable with a meterpreter.exe during the download process. it would depend on the traffic being not encrypted or at least when sslstrip worked.

 

 

Share this post


Link to post
Share on other sites
17 hours ago, anao00 said:

Let's say I've managed to change my target's DNS

..."Theoretically"?

14 hours ago, anao00 said:

Nice, the forum doesn't allow the OP to edit his own thread.

You can't edit your posts as a new user. You have to have a certain amount of posts before given that privilege. It can be annoying, but if you don't rush your post it's not a problem.

14 hours ago, anao00 said:

What I wanted to do was to have the user type in a website domain and get the contents of that website altered so I could add some code to it, and I wanted to do that only by changing his DNS servers.

Change his DNS servers to a replica page you created based on the real site. Make the changes you want. That's what everyone else does, unfortunately. No-lifers preying on people who don't know how dangerous the internet can be.

You would know how to do this by simply having general knowledge about DNS servers, HTTP ports and web servers. Maybe JS/PHP, depending on the type of payload. Information you could get anywhere. But you know, of course you wouldn't ever be immediately malicious to someone because you obviously sound like you have tonnes of experience and are definitely not asking very to-the-point questions. ?

Share this post


Link to post
Share on other sites

Ok. I have a idea. a proxy that clones the target or destination address.

Get /amazonDotCom

set toolkit-clone amazonDotCom

Provide fresh-cloned-new-response to the client.

 

There doesn't work on everything. Its doable.

 

Arpspoof is the best mitm tool I use. iptables to redirect all traffic back and forth on the network. Or from

Client <-> proxy-tamper.rb

wont be hard to do in bash. Automate what you want to happen. I can make This for you. I prefer ruby but I have worked with people befor that built half of a toolkit project build. direct message me.

Share this post


Link to post
Share on other sites

@anao00 Yes, you are correct DNS is a fragile system (in more ways than this example).  Regardless of where you intercept, it can be difficult to detect. 

One thing not mentioned is SSL... you can use this method to host https://amazon.com at https://my-custom domain.com or http://amazon.com, but you wont have the right cert on your middleware machine to host https://amazon.com. Its subtle, but browsers are doing a better job of pointing out non-secure sites lately.

Edited by bg-wa
syntax

Share this post


Link to post
Share on other sites

 

19 hours ago, Dave-ee Jones said:

..."Theoretically"?

You can't edit your posts as a new user. You have to have a certain amount of posts before given that privilege. It can be annoying, but if you don't rush your post it's not a problem.

Change his DNS servers to a replica page you created based on the real site. Make the changes you want. That's what everyone else does, unfortunately. No-lifers preying on people who don't know how dangerous the internet can be.

You would know how to do this by simply having general knowledge about DNS servers, HTTP ports and web servers. Maybe JS/PHP, depending on the type of payload. Information you could get anywhere. But you know, of course you wouldn't ever be immediately malicious to someone because you obviously sound like you have tonnes of experience and are definitely not asking very to-the-point questions. ?

Change the DNS > User gets redirected to my website even though the URL is the same, but there is no https, only http > There is a warning saying that they browser or whatever is outdated and it asks for the user to download the update and install it > Undetectable payload is then installed.

How could someone possibly defend themselves against this unless they know about MITM and the importance of HTTPS and checking the URL?

 

17 hours ago, i8igmac said:

Ok. I have a idea. a proxy that clones the target or destination address.

Get /amazonDotCom

set toolkit-clone amazonDotCom

Provide fresh-cloned-new-response to the client.

 

There doesn't work on everything. Its doable.

 

Arpspoof is the best mitm tool I use. iptables to redirect all traffic back and forth on the network. Or from

Client <-> proxy-tamper.rb

wont be hard to do in bash. Automate what you want to happen. I can make This for you. I prefer ruby but I have worked with people befor that built half of a toolkit project build. direct message me.

I've been trying my luck with python.

Lets say I own a DNS server and a lot of other servers. The user goes through the DNS and then gets redirected to my website. The website detects the original url that was intended, clones the desired page and poison the data with what I want, and then delivers it to the user.

The problem with set is that it wasn't intended to be used for cloning and adding extra stuff. They made so you could easily grab credentials by capturing POSTs. A little bit of code tweak would be required.

But its not very practical since the website would take too long to load, long enough that user could google about his connection being slow and then finding an article telling him to change his DNS.

 

2 hours ago, bg-wa said:

@anao00 Yes, you are correct DNS is a fragile system (in more ways than this example).  Regardless of where you intercept, it can be difficult to detect. 

One thing not mentioned is SSL... you can use this method to host https://amazon.com at https://my-custom domain.com or http://amazon.com, but you wont have the right cert on your middleware machine to host https://amazon.com. Its subtle, but browsers are doing a better job of pointing out non-secure sites lately.

More fragile than DNS only basically every router that there is out there. That is very concerning.

It was possible not a long time ago to have a domain like amazon.com being fed to the user using https and a valid certificate, but the way you'd achieve that was through buying a domain that looked like amazon.com, but actually the "a" from amazon was the a from the Cyrillic alphabet or something. Some guy even coded a script for that.

Now, every updated browser will display a url that would look like "xn----14811mazon.com" after the user clicked the link, so its not very practical.

But I noticed that most people don't even know what https is, and those who do know, they wouldn't question or try to figure out what is wrong if they accessed google and the browser didn't display a green padlock. They typed google.com and it worked, that's what they care about.

Share this post


Link to post
Share on other sites

its all automation like clock work. If you clone the site, you could easily add or modify this data before it gets sent out.

 

Share this post


Link to post
Share on other sites

Buy a domain set up a phoney website inject code. See how long the site lasts.

A tool called wifiphisher is setting up phoney web page to man in the middle ya. Looks like a normal router page? Only real way to alter web page code would be break the law. Copyright or domain trespas. If ya tried it on amazon.com im sure that it would trigger an alarm somewhere.

Ever watch hackers

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×