Thursday, December 16, 2010

Squid-imposter: Phishing websites forever with HTML5 offline cache

Recently I've been doing some HTML5 hacking and I encountered Imposter by Lavakumar Kuppan. It's a framework to perform browser phishing attacks - a tool that integrates a DNS server, a web server and a configuration utility running on Windows machine. Once a victim connects to Imposter (e.g. through a rogue WiFi access point) it tries to e.g. steal his cookies, inject payloads into chosen websites etc. There is also a module that uses HTML5 offline cache to store the payload permanently in all supporting browsers. It's a pretty clever framework, but it requires Windows.

I've decided to take away the HTML5 offline cache storage functionality and port it to Linux. The result is presented here as Squid-imposter. Now you can easily spoof websites that will be stored in victim's browser cache forever.

Introduction

Squid-imposter makes it easy to create Squid-based proxy injecting your own content to chosen website URLs. Modified content is then persisted in client's browser even when the client no longer connects through your proxy thanks to HTML5 Offline cache features. Additionally, standard HTTP cache headers set the page to cache for 10 years. Injected content may for example be used to form a phishing attack during penetration test.

What can it do?

It's a MITM/sidejacking attack technique - we're not exploiting a vulnerability in any website, instead we pretend to be that website. The only protection is, of course, using HTTPS/VPN as Firesheep lately taught everyone.

The process is as follows:
  1. Choose a website URL you'd like to spoof (e.g. gmail login page)
  2. Prepare a modified version of the page (e.g with a submit button that also sends login/password to you)
  3. Look for any other URL on the domain that user won't be likely to visit (this will be the manifest URL). It might something tiny like a blank.gif file.
  4. Setup squid-imposter with payloads and URLs
  5. Convince a victim to connect to squid-imposter (e.g. hijack victim's proxy entries, make him connect to your rogue Wi-Fi)
  6. When victims enters the URL, squid returns the modified page and a manifest file that tells user to store the page in offline cache.*
  7. Two years later, the user is no longer connected to your proxy, but the modified page is still served by victim's browser.
* Google Chrome will store the page in cache without user intervention. Firefox will ask for permission, but even if denied, the page will be stored in standard cache thanks to "expires in 10 years" HTTP header.

Requirements

  • PHP 5.2
  • Apache
  • mod_php
  • Squid
All of these can be easily set-up in e.g. a Ubuntu virtual machine. Default setups of these tools will do. In case you encounter problems, please let me know.

Architecture

The scheme used by squid-imposter to spoof a website is presented in a graphic below.

Squid-imposter interaction diagram

Download

Feel free to download / fork the project from its GitHub repository. License is MIT.

Release notes

The software is of beta-quality. It's documented and works with basic features, but there are still some ideas to improve. Heavy testing and feedback is very welcome.

1 comment:

sherry said...

can u plzz snd me a simple code for exploiting cache manifest. my id is sherry14apr@gmail.com