Imposter – Browser Phishing Framework

May 8, 2010, by | Start Discussion


Imagine this scenario; you are sitting at the airport waiting for your boarding call. You turn on your laptop to kill time, scan for free Wi-Fi networks, connect to one of them and request for ‘google.com’.

How much do you risk by doing this? ‘Not much’ you would say, right?

After all you have a fully patched OS, the latest antivirus, a strict personal firewall, you are logged in as a non-admin user and you would never click ‘OK’ on any pop-up. What could an attacker possible do?

Well, if the attacker is using Imposter then he could, in a matter of seconds do any or all of this:

  1. Steal sensitive files from your system containing personal information.
  2. Steal stored passwords of FaceBook, Twitter, MySpace and other accounts from the browser.
  3. Place permanent backdoors in your browser for sites like Gmail, MySpace, and WordPress etc.
  4. Steal your entire Gmail and MySpace inbox and Google Docs etc.
  5. Steal your cookies and hijack your pre-authenticated sessions.
  6. Poison your cookie store and perform session fixation attacks.
  7. Steal sensitive files stored in your browser’s cache.
  8. Poison your browser’s cache with malicious scripts.
  9. List out every sleazy site you have visited by checking your LSO (Local Shared Objects), which usually never gets deleted.

All of this can be done so quickly and stealthily that you wouldn’t even know what hit you.

Now that you know what Imposter can do, let’s look at how it does this.

Browser Phishing:

Imposter performs all the mentioned attacks against the browser and it targets one of the most critical security features of all modern browsers, the SameOriginPolicy. Websites store a wide variety of data in the browser, these ranges from cookies, LocalSharedObjects, Cached Files, GoogleGears databases, GoogleGears LocalServer modules etc. All of this data is only accessible by the websites that store them,  a concept which is called as SameOriginPolicy.

In scenarios where the victim is connected to an attacker-controlled Wi-Fi AccessPoint the attacker can serve content as any website. What this means is that now the attacker can pretend to be any website; from Google to FaceBook, as long as they are over HTTP. And so he can access the data that has been stored by those websites in the victim’s browser.It’s really that simple.

Imposter Internals:

Once the attacker sets up and configures Imposter as instructed in the detailed user guide – http://www.andlabs.org/tools/imposter/imposter.html, Imposter handles the rest.
 

Imposter has two main components that help it perform these attacks:

 

  • Imposter’s DNS Server
  • Imposter’s Web Server

Imposter’s DNS server resolves every hostname to the attacker’s IP address. So no matter what site the victim is requesting for, the request always comes to the Imposter’s Web Server.

Imposter’s Web Server sends a customizable harmless looking ‘welcome page’ to the victim. This page includes multiple iframes sourced to different domain names. Imposter’s Web Server sends JavaScript payloads to these iframes to steal and poison offline data.
 

Customizable ‘welcome page’ returned by Imposter to the victim. This page contains multiple iframes which load the payloads.

The data stolen by the JavaScript payloads is sent back to Imposter’s Web Server. Imposter parses this data, processes it and stores it in a SQLite database. The entire process takes just a few seconds and does not trigger any alert or pop-up.

Permanent backdoor placement and Gmail Inbox stealing attacks are specific to users of Google Gears. Technical details on how these attacks work can be read from the whitepaper ‘Google Gears for Attackers’ – http://www.andlabs.org/whitepapers/GoogleGears_for_Attackers.pdf.

Imposter can also steal files from the victim’s local file system if they are using Internet Explorer. It makes use of a special in-built sniffer for this attack. The technique behind this attack is described in detail in the whitepaper ‘Flash+IE=PrisonBreak’  – http://www.andlabs.org/whitepapers/F_IE_PrisonBreak.pdf.

Videos of most of the attacks are available at http://www.andlabs.org/videos.html

Imposter requires the .NET Framework to run and has currently only been tested on Windows.  Imposter is a GUI tool which reduces the learning curve drastically; if you understand the theory behind the attacks you can start using Imposter in a matter of minutes. Imposter is also the only tool which can perform all the mentioned attacks out of the box.
 

Anti-Script Kiddies measure:

Given its ease of use, Imposter is almost too easy to be abused by Script Kiddies. To control this, Imposter does not come with any default preloaded configuration. Any person who understands the concepts behind the attacks should have no trouble configuring Imposter. However for a clueless individual it’s like a gun without bullets, totally harmless.

Use in Penetration Testing:

Imposter should be a part of every Penetration tester’s toolkit. I should know it well because I am a Penetration tester myself. There have been instances when clients have asked for a Penetration test on the laptops of their employees. This would almost always end up showing no results if you follow the traditional route of scan & exploit. This is because laptops rarely have services listening on them that can be accessed through inbound connections, thanks to the firewall.

What you should instead be targeting are the outbound connections. And perhaps the easiest way  to get into any laptop would be through the browser. Imposter can help you check how secure the browser is against ‘Browser Phishing’  attacks. With browsers becoming the most prominent desktop application it is imperative that every possible attack vector, against them is tested for.

Future Plans:

I am currently working on a new module for Imposter and there are a few other related projects that are currently under active research. I cannot provide specific details about them at this point of time but do expect to hear more frequently about ‘browser phishing’ attacks in the future. A mono-compatible Linux variant is also in the pipeline.
 

If you are still reading this article then I am pretty sure you would be curious to check out Imposter. Take it for a spin and have fun with it, download link is available at http://andlabs.org/tools.html#imposter. If you have a specific feature request or some other feedback then please mail them to me and I will try my best to address them in the next version of Imposter.

Until next time, browse safely!

Lavakumar is the author of IronWASP, the advanced Web Security Testing Platform. He has also authored many other security tools like ‘Shell of the Future’, JS-Recon, Imposter and the HTLM5 based Distributed Computing System – Ravan. He has spoken at multiple conferences like BlackHat, OWASP AppSec Asia, ClubHack, Securitybyte, Nullcon, etc.

Leave a Reply