Phishing attack w/HTML5 offline cache framework based on Squid proxy
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Failed to load latest commit information.
SQUID-IMPOSTER Project makes it easy to create Squid-based proxy injecting your own content to chosen website URLs. Modified content is then persisted in client's browser even when the client no longer connects through your proxy thanks to HTML5 Offline cache features. Injected content may for example be used to form a phishing attack during penetration test. This is a port of HTML5 offline cache poisoning features introduced in Imposter to Squid/Apache/PHP setup. Imposter: http://www.andlabs.org/tools/imposter/imposter.html by Lavakumar Kuppan Port by Krzysztof Kotowicz <kkotowicz at gmail dot com> Architecture ============ Diagram describing squid-imposter architecture is in squid-imposter.png file. You may also consult andlabs.org for further explanations on what Imposter is and what can it do. Requirements ============ - PHP 5.2 - Apache - mod_php - Squid Instalation =========== 1. Put the files somewhere within Apache document root. Note the URL to the directory with the files and insert it into config.ini 'imposter' setting 2. Setup squid rewrite program: in /etc/squid/squid.conf insert the line: url_rewrite_program /absolute/path-to/rewrite.php Default installation of squid on Ubuntu will do just fine with this single-line change. This will make squid pass every URL requested by client to rewrite.php script for possible silent redirection. 3. Setup targetted websites Edit config.ini file and insert a section for each website. Section name will be the site id. Each section should have a payload= and manifest= values. For example, to spoof example.com login page, enter: [example_com] payload=http://example.com/login.asp manifest=http://example.com/images/blank.gif 'payload' is the URL that should be replaced in the offline cache. 'manifest' is the cache manifest file. Choose some static file present on the live domain to make the attack more permanent (browsers will try to refresh cache manifest on each page load). 4. Prepare the payload files At most three files will be used for each website: - <site-id>.payload is the payload file. It's a copy of a website page with additional decorations made by you (e.g. form values stealing, script injection etc.) - <site-id>.manifest is the injected cache manifest file. - <site-id>.append (optional) - instead of using .payload file, the actual URL will be fetched by the server and this file will be appended right before </body>. Not as bulletproof as .payload file, but may sometimes be simpler to set up. If .payload and .append files are present, .payload takes precedence. There are also default.manifest and default.append files used when there is no specific file for a given site id. In every file you may use these strings: %%manifest%% - manifest URL %%payload%% - payload URL Also, <html manifest=> declaration and appropriete 'cache for 10 years' HTTP headers will be added automatically to payload. 5. Set up squid proxy in the HTML5-supporting browser (or make an open access point serviced by the squid proxy) and enjoy :) Default squid port is 3128. When you're changing config.ini entries, be sure to restart squid (sudo /etc/init.d/squid restart) to refresh the changes. License ======= Copyright (c) 2010 Krzysztof Kotowicz Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.