Skip to content

koto/squid-imposter

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits

Zend

Zend

 
 

payloads

payloads

 
 

README

README

 
 

index.php

index.php

 
 

rewrite.php

rewrite.php

 
 

setup_gw.sh

setup_gw.sh

 
 

squid-imposter.png

squid-imposter.png

 
 

squid.conf

squid.conf

 
 

Repository files navigation

SQUID-IMPOSTER

Project makes it easy to create Squid-based proxy injecting your own content to chosen website URLs. Modified content is then persisted in client's browser even when the client no longer connects through your proxy thanks to HTML5 Offline cache features.
Injected content may for example be used to form a phishing attack during penetration test.

This is a port of HTML5 offline cache poisoning features introduced in Imposter to Squid/Apache/PHP setup.

Imposter: http://www.andlabs.org/tools/imposter/imposter.html by Lavakumar Kuppan
Port by Krzysztof Kotowicz <kkotowicz at gmail dot com>

Architecture
============
Diagram describing squid-imposter architecture is in squid-imposter.png file. You may also consult
andlabs.org for further explanations on what Imposter is and what can it do.

Requirements
============
- PHP 5.2
- Apache
- mod_php
- Squid


Instalation
===========
1. Put the files somewhere within Apache document root. Note the URL to the directory with the files and insert it into config.ini 'imposter' setting

2. Setup squid rewrite program: in /etc/squid/squid.conf insert the line:
   url_rewrite_program /absolute/path-to/rewrite.php

   Default installation of squid on Ubuntu will do just fine with this single-line change.

   This will make squid pass every URL requested by client to rewrite.php script for possible silent redirection.

3. Setup targetted websites

   Edit config.ini file and insert a section for each website. Section name will be the site id. Each section should have a payload= and manifest= values. For example, to spoof example.com login page, enter:
   [example_com]
   payload=http://example.com/login.asp
   manifest=http://example.com/images/blank.gif

   'payload' is the URL that should be replaced in the offline cache. 'manifest' is the cache manifest file. Choose some static file present on the live domain to make the attack more permanent (browsers will try to refresh cache manifest on each page load).

4. Prepare the payload files

   At most three files will be used for each website:
    - <site-id>.payload is the payload file. It's a copy of a website page with additional decorations made by you (e.g. form values stealing, script injection etc.)
    - <site-id>.manifest is the injected cache manifest file.
    - <site-id>.append (optional) - instead of using .payload file, the actual URL will be fetched by the server and this file will be appended right before </body>. Not as bulletproof as .payload file, but may sometimes be simpler to set up. If .payload and .append files are present, .payload takes precedence.
    
   There are also default.manifest and default.append files used when there is no specific file for a given site id.       

   In every file you may use these strings:
    %%manifest%% - manifest URL
    %%payload%% - payload URL

   Also, <html manifest=> declaration and appropriete 'cache for 10 years' HTTP headers will be added automatically to payload.

5. Set up squid proxy in the HTML5-supporting browser (or make an open access point serviced by the squid proxy) and enjoy :)
   Default squid port is 3128.


When you're changing config.ini entries, be sure to restart squid (sudo /etc/init.d/squid restart) to refresh the changes.

License
=======

Copyright (c) 2010 Krzysztof Kotowicz

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.

About

Phishing attack w/HTML5 offline cache framework based on Squid proxy

blog.kotowicz.net/2010/12/squid-imposter-phishing-websites.html

Resources

Readme
Activity

Stars

30 stars

Watchers

6 watching

Forks

15 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages