Wubi Posted August 15, 2012 Report Share Posted August 15, 2012 A new day and a new tool from the Blackhat USA 2012 tool arsenal – XMPPloit! Before we talk about the tool itself, let us first know what XMPP is. XMPP stands for Extensible Messaging and Presence Protocol and is a streaming XML protocol that was previously named Jabber. It is an open technology for real-time communication, which powers a wide range of applications including instant messaging, presence, multi-party chat, voice and video calls, collaboration, lightweight middleware, content syndication, and generalized routing of XML data.Back to the actual tool now. XMPPloit is an open source, command-line tool that can help you to attack XMPP connections. Successful attacks can allow you, (the attacker) to place a gateway between the client and the server and perform different attacks on the client stream. It exploits implementation vulnerabilities at the client & server side in the XMPP protocol. Precisely put, XMPPloit is an application to establish a gateway between the client and server, allowing you to monitor and manipulate XMPP traffic between them (taking advantage of vulnerabilities in implementations client / server and the protocol itself). By default the application is configured to work with Google Talk so that, if you want to use it for another system, you must specify the IP or XMPP server domain.The main goal is that all the process is transparently for the user and never replace any certificate (like HTTPS attacks). Features of XMPPloit:Downgrade the authentication mechanism (can obtain the user credentials) Force the client not to use an encrypted communication Set filters for traffic manipulation Filters that have been implemented in this version for Google Talk are:Read all the the user’s account mails Read and modify all the user’s account contacts (being or not in the roster). The open source tool has been programmed in Java and only requires the Librería HttpClient (Apache). We actually had to wait for this one to be released since without authentication, we could not download the tool. Download XMPPloit: XMPPloit 1.0 – XMPPloit.7z/XMPPloit_src.7zSursa PenTestiT 1 Quote Link to comment Share on other sites More sharing options...
