[Full-disclosure] AttackAPI 0.8 is OUT


I would recommend AttackAPI 0.8 to everyone who is interested in
high-end. It provides a good demonstration of what is possible today.
That, I hope will take our awareness even further.

AttackAPI slowly moves to its 1.0 release where I am planning to
standardize its core, fix discovered bugs and make it even more
cross-platformed. Still, there is a long way to go but I am willing to
take my chances. There are plans for 0.9 but I will keep them
undisclosed for now.

So what 0.8 has to offer? There are a couple of things that worth
attention. I will start in chronological order.

The Client interface can be used to enumerate the current client. It
has functionalities to fingerprint the current operating system,
installed plugins, the browser in use and the local NATed IP address
and hostname. This tool is brilliant for doing the first steps of any
targeted attack.

The Server, on the other hand, can be used to fingerprint the current
server. It provides information about its domain, IP address,
platform, server software and the application architecture. Its
purpose is to identify what is currently available. That is important
because the Web is very distributed and agile network and controlling
dozens of injected clients is a task on its own.

The AuthorizationForcer interface is noting but a technique that can
be used when the attacker is interested in discovering Basic Auth
credentials. It is not very generic but it can be quite successfully
executed on internal networks where the security is more relaxed and
administrators make use of shortcut URLs to login to different

The ExtensionScanner interface is all the attacker needs to find
currently installed extensions. Why is that important? Well, there is
a lot one can say but in general that information can be used to find
who is previewing the current resource (you are developer or a user),
what services you are currently using (do you have flickr or
del.icio.us extensions installed) and also locate vulnerable
extensions. If you are developer, it is very likely that you have
access to source code repositories. This information combined with
other techniques can be used to steal your work or identify projects
that are yet to be released. The age of professional attackers are
slowly hitting the 21st century.

The HistoryDumper is every web user nightmare when it comes to
privacy. Attackers can abuse Firefox, IE and Opera accessibility
functionalities to tell where you have been. The marketing tycoons
will use it to sell you even more goods. This is an excellent tool for
corporate espionage.

Than it comes the NetworkSweeper. The tool does one thing only:
discover live hosts. Currently it supports only one type of sweeping
but in 0.9 and 1.0 versions of AttackAPI a lot more other techniques
will be implemented.

But what is a sweep without a port scan? Port scanning from JavaScript
used to be considered an impossible task. Well, that's not the case
anymore. Today attackers can use your browser to scan everybody they
want without any fear of being penalized. Distributed scanning is also
possible. Imagine how a well spread backdoored media file can scan the
entire Internet for well known vulnerabilities (the VNC authentication
bypass bug) in a quarter of the time required.

That won't be possible without help from the NetworkCalculator.
Generating IPs, cutting subnets, transforming IP address are just a
few of the functionalities currently supported.

Than the JavaScript shell is not what it seams to be. Yes, it is a
good tool that you can use to quickly try JavaScript expressions but
it is a lot more interesting to see the internal workings behind the
fancy black console. In the core you will find functionalities that
can be used to easily integrate a shell like interface to any web
backdoor. Do you want to bind a fancy SQL console to a SQL Injection
attack in order to emulate shell interface to the backend database?
The MasterAPI library is ready to that.

MasterAPI and the RequestBuilder from AttackAPI is all that the
attacker needs to achieve that. Building XMLHttpRequest objects is
quite easy. The use of them is up to your imagination.

Sometimers attackers want to identify usersnames. If your username is
Persi Johnson and you have a del.icio.us extension installed, it is
quite likely that the same http://del.icio.us/PersiJohnson is you. The
UsernameScanner is a handy trick that can be used in many situations.
Enumerating local user names has never been easier.

The URLScanner seam to be simple, yet, a lot more needs to be done to
expose its efficiency. Do you want to run Nikto from your browser or
you want to build a JavaScript based vulnerability scanning tool? All
you need to do is to provide the database and the rest will be
magically handled for you.

Base64 is the right way of doing many things. So we use it here as well.

GoogleSearch scares me when I start thinking about JavaScript worms
that propagate outside their origin. AttackAPI provides an example of
what is possible. I believe that we will see a lot more of these in
the future.

The KeyLogger interface can be used to capture key evens (shortcut
keys included) and tamper them. No longer has the attacker needed to
write something specific in order to get your keyboard input. The
generic interface AttackAPI.KeyLogger can be used anywhere.

The CookieJar is noting but a helper module that helps with cookie
manipulation. Once you get into Web Application security, session
identifiers is what matters most. However, it must be noted that
cookies can be used in many other ways one of which is related to
installing persistent backdoor when DOM based Cross-site scripting
issue is discovered.

The Zombie (ZombieAPI) is my favorite because it redefines the
boundaries of today's computer security. Don't open any mp3,
QuickTime, PDF, or html file that you don't trust. It might have one
of these installed. Once you are caught in the net, the attack will
persist on other resources where the attacker has access to. So, while
you are happily watching the next blockbuster trailer, keep in mind
that you may as well provide the infrastructure for launching all
sorts of malicious activities; including DDoS, Port Scanning, Network
Sweeping, Website defacement, high-end hacking.

Finally, the ZombieMaster demonstrates the other side of browser
control. This tool makes use of the ZombieAPI library and the
bidirectional channel to control inventories of infected web
resources. The MySpace and Yahoo worms could have been a lot more
dangerous if they supported similar types of feature.

That is all I have to say. The attack vectors are here. All we need to
do is to find cure for them. Vendors are working on solutions that may
someday become the new type of software you will use as a protection
mechanism. I hope that AttackAPI will be used for more good than bad.

pdp (architect) | petko d. petkov

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/