http://www.gnucitizen.org/blog/attackapi-08-is-out http://www.gnucitizen.org/projects/attackapi
I would recommend AttackAPI 0.8 to everyone who is interested in high-end. It provides a good demonstration of what is possible today. That, I hope will take our awareness even further. AttackAPI slowly moves to its 1.0 release where I am planning to standardize its core, fix discovered bugs and make it even more cross-platformed. Still, there is a long way to go but I am willing to take my chances. There are plans for 0.9 but I will keep them undisclosed for now. So what 0.8 has to offer? There are a couple of things that worth attention. I will start in chronological order. The Client interface can be used to enumerate the current client. It has functionalities to fingerprint the current operating system, installed plugins, the browser in use and the local NATed IP address and hostname. This tool is brilliant for doing the first steps of any targeted attack. The Server, on the other hand, can be used to fingerprint the current server. It provides information about its domain, IP address, platform, server software and the application architecture. Its purpose is to identify what is currently available. That is important because the Web is very distributed and agile network and controlling dozens of injected clients is a task on its own. The AuthorizationForcer interface is noting but a technique that can be used when the attacker is interested in discovering Basic Auth credentials. It is not very generic but it can be quite successfully executed on internal networks where the security is more relaxed and administrators make use of shortcut URLs to login to different devices. The ExtensionScanner interface is all the attacker needs to find currently installed extensions. Why is that important? Well, there is a lot one can say but in general that information can be used to find who is previewing the current resource (you are developer or a user), what services you are currently using (do you have flickr or del.icio.us extensions installed) and also locate vulnerable extensions. If you are developer, it is very likely that you have access to source code repositories. This information combined with other techniques can be used to steal your work or identify projects that are yet to be released. The age of professional attackers are slowly hitting the 21st century. The HistoryDumper is every web user nightmare when it comes to privacy. Attackers can abuse Firefox, IE and Opera accessibility functionalities to tell where you have been. The marketing tycoons will use it to sell you even more goods. This is an excellent tool for corporate espionage. Than it comes the NetworkSweeper. The tool does one thing only: discover live hosts. Currently it supports only one type of sweeping but in 0.9 and 1.0 versions of AttackAPI a lot more other techniques will be implemented. But what is a sweep without a port scan? Port scanning from JavaScript used to be considered an impossible task. Well, that's not the case anymore. Today attackers can use your browser to scan everybody they want without any fear of being penalized. Distributed scanning is also possible. Imagine how a well spread backdoored media file can scan the entire Internet for well known vulnerabilities (the VNC authentication bypass bug) in a quarter of the time required. That won't be possible without help from the NetworkCalculator. Generating IPs, cutting subnets, transforming IP address are just a few of the functionalities currently supported. Than the JavaScript shell is not what it seams to be. Yes, it is a good tool that you can use to quickly try JavaScript expressions but it is a lot more interesting to see the internal workings behind the fancy black console. In the core you will find functionalities that can be used to easily integrate a shell like interface to any web backdoor. Do you want to bind a fancy SQL console to a SQL Injection attack in order to emulate shell interface to the backend database? The MasterAPI library is ready to that. MasterAPI and the RequestBuilder from AttackAPI is all that the attacker needs to achieve that. Building XMLHttpRequest objects is quite easy. The use of them is up to your imagination. Sometimers attackers want to identify usersnames. If your username is Persi Johnson and you have a del.icio.us extension installed, it is quite likely that the same http://del.icio.us/PersiJohnson is you. The UsernameScanner is a handy trick that can be used in many situations. Enumerating local user names has never been easier. The URLScanner seam to be simple, yet, a lot more needs to be done to expose its efficiency. Do you want to run Nikto from your browser or you want to build a JavaScript based vulnerability scanning tool? All you need to do is to provide the database and the rest will be magically handled for you. Base64 is the right way of doing many things. So we use it here as well. GoogleSearch scares me when I start thinking about JavaScript worms that propagate outside their origin. AttackAPI provides an example of what is possible. I believe that we will see a lot more of these in the future. The KeyLogger interface can be used to capture key evens (shortcut keys included) and tamper them. No longer has the attacker needed to write something specific in order to get your keyboard input. The generic interface AttackAPI.KeyLogger can be used anywhere. The CookieJar is noting but a helper module that helps with cookie manipulation. Once you get into Web Application security, session identifiers is what matters most. However, it must be noted that cookies can be used in many other ways one of which is related to installing persistent backdoor when DOM based Cross-site scripting issue is discovered. The Zombie (ZombieAPI) is my favorite because it redefines the boundaries of today's computer security. Don't open any mp3, QuickTime, PDF, or html file that you don't trust. It might have one of these installed. Once you are caught in the net, the attack will persist on other resources where the attacker has access to. So, while you are happily watching the next blockbuster trailer, keep in mind that you may as well provide the infrastructure for launching all sorts of malicious activities; including DDoS, Port Scanning, Network Sweeping, Website defacement, high-end hacking. Finally, the ZombieMaster demonstrates the other side of browser control. This tool makes use of the ZombieAPI library and the bidirectional channel to control inventories of infected web resources. The MySpace and Yahoo worms could have been a lot more dangerous if they supported similar types of feature. That is all I have to say. The attack vectors are here. All we need to do is to find cure for them. Vendors are working on solutions that may someday become the new type of software you will use as a protection mechanism. I hope that AttackAPI will be used for more good than bad. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
