XSS Agent - Tunnel

How to use the XSS Agent - Remote Control

Exploit Pack includes as part of its core features an XSS Channel. This is basically an interactive communication between two or more systems which is carried out by an XSS attack or by direct modification of the targeted website.

At a technical level, it is a type of AJAX application which can obtain commands, send responses back and is able to talk cross-domain. The XSS Shell is a tool that can be used to setup an XSS Channel between a victim and an attacker so that an attacker can take control of the victim's browser by sending it arbitrary commands.

This communication is bi-directional. To get the XSS Shell to work an attacker needs to inject the XSS Shell’s JavaScript. The attacker is then able to control the victim’s browser. After this point the attacker can see requests, responses and is able to instruct the victim’s browser to carryout requests and continue further with his attack in order to gain access to the underlying operating system trough, for instance, an exploit.

An example of injection would be:

<script src="../exploits/code/agent.js"></script>

How does it work? The first part of the XSS Shell in Exploit Pack coordinates the XSS Shell between an attacker and the victim. It is a server-side application and requires Exploit Pack to be used as storage. The second part is client-side and written in JavaScript. This loads in the victim’s browser and it is responsible for the receiving and processing of commands together with providing the channel between the victim and the attacker. This code was tested under all the latest browsers. The final part of the XSS Shell is the administration interface. An attacker can send new commands and receive responses from multiple victims browsers.

How to use it? On the left side of the screen go to Utilities tab and then Remote Control, now select "Agent-XSS". On the Editor you will see the code to be executed into the victim's browser once triggered. You should change the value in the code from "http://127.0.0.1:8000/agent/;" for the IP address that you want to trick, for example if you want to use something else than localhost let's say a class C like 192.168.0.1 as a server, you will have with something like "http://192.168.0.1/agent/"; so when the XSS gets executed it will know where to find the server.

How to conduct a real attack during a pentest? 1. Once you are ready select all and copy it into a file like '"exploitpack.js" and host it in your desired website. 2. Host this file on a webserver of your choice or serve it using Exploit Pack. 3. Trigger the victim to execute this JS trough a XSS injection or by the modification of the targeted website. 4. Once the victim has executed this JS you will see under the "Connection list" your new agents being deployed.

Below you will see a list of useful commands you can use with any of those agents, these commands can be chained so you can execute more than one at the same time.

// Dialog(message) - To display a Dialog and receive the answer
// GetCredentials(credentials) - Collect user's credentials
// GetSession() - Get user's sessions
// Freeze() - Infinite loop the remote browser
// PersistAggresive() - Persist the session on the remote browser
// redirectSite(url) - Redirect the user to the desired URL
// execJS(code) - Execute your JS on inside a script tag
// monster() - Call the Cookie monster on the user's browser
// tabKiller() - Kill the current tab ( Firefox, Chrome )
// PersistOnClick() - Persist the agent on an OnClick event
// jokeImages() - Make spin the images of the open pages
// protectMySite() - Activate the keylogging function and block XSS and SQLi attempts
// xssProtect() - Activate the XSS client-side protection on the desired browser
// sqlProtect() - Activate the SQLi client-side protection on the desired browser
// banIP(ip) - Add the desired IP/Hostname to your blacklist
// addIPtoBanList() - Add the current IP/Hostname to your blacklist
// antiCopyPaste() - Prevent the remote user of copy/paste the page
// noCTRL() - Deactivate the CTRL functions
// scanEngine(host) - Launch a discover scan from the remote browser
// portScanner(host) - Launch a portscan from the remote browser to a specific host
// launchWindow(id) - Create a new windows with the specified height, width
// exploitThis(exploitName) - Execute an exploit ( Browser ) from the agent
// scanForThreats() - Discover remote plugins and useful information for testing
// Plugins() - Obtains a list of running plugins on the remote host
// ScreenSize() - Calculate and retrieve current Window size

QUICK DEMO In order to see how it works before deploying it into your testing environment, you can deploy an agent in your local machine, on the top-side of the screen click on the "Browser" button (you can also find it in the Red Team tab under network connectivity as "Browser shell") this will pop-up a browser window that has already included the XSS agent into it, once it's triggered you will see the connection back in the Exploit Pack console.

From here, you can take advantage of this channel and continue your penetration test. Have in mind that you can perform all the actions that a browser can do trough JavaScript so that also limit yourself to only the browser. If you need access to the underlying operating system you will need to execute an exploit, for instance, get a list of the plugins in that browser and/or the version of it and host and redirect the victim to a page that will trigger that exploit. After getting access into the underlying operating system, take advantage of the VBS/PS agent to gain persistance into that system.

You can try all the options and commands provided for your basic attacks, but you can also add to that code anything you want in JS, it will be automatically added and executed into the victim's browser.