Initiating the Rupture attack: The injector component

HTTP is an application protocol which was used widely over TCP transmission. Most of the websites nowadays exchange data over HTTPS channels, providing SSL/TLS encryption over HTTP. However, there still are websites using HTTP and thus send and receive data with no encryption.

If an attacker is at the same network with the victim, they can perform a Man-in-the-Middle attack (MitM).

MITM

In a MitM attack, the attacker intervenes between the victim and the router using ARP spoofing and sniffs the packets being exchanged. If the victim visits an HTTP site, the attacker can view or alter the content of the transmitted packets by injecting some arbitrary code. This weakness of the HTTP protocol is what our injector component exploits.

In our implementation, our target endpoint is an HTTPS website such as Gmail or Facebook but we need the HTTP sites for the client code injection. HTTP sites are docks of our attack. We assume the adversary controls some network of the victim. Our injector injects the client code in all unauthenticated HTTP responses that the victim receives. This Javascript code is then executed by the victim's browser in the context of the respective domain name. We use Bettercap to perform the HTTP injection. The injection is performed by ARP spoofing the local network and forwarding all traffic in a Man-in-the-Middle manner. It is simply a series of shell scripts that use the appropriate Bettercap modules to perform the attack.

What our injector actually does is run the following command.

sudo bettercap -T ${VICTIMIP} --proxy --proxy-module injectjs --js-file dist/main.js  

This command determines the victim's IP and initiates an HTTP proxy to manipulate and inject the Javascript code of the given file to the victim's browser.

If the attacker doesn't already know the victim's IP, they first need to run the following command:

sudo bettercap  

before itiating the injector. This displays all the IPs and the corresponding machine names in the network and the attacker will determine the victim's IP.

As all HTTP responses are infected by the injector, this provides increased robustness. The injected client code remains dormant until it is asked to wake up by the command-and-control channel. This means that the user can switch between browsers, reboot their computer, close and reopen browser tabs, and the attack will keep running as long as the victim has at least one open HTTP session.

The injector component needs to run on the victim's network and as such is lightweight and stateless. It can be easily deployed on a machine such as a Raspberry Pi, and can be used for massive attacks on public networks such as coffee shops or airports. Multiple injectors can be deployed to different networks, all controlled by the same central command-and-control channel.

While injection is performed on the local network through altering HTTP responses in our case, the injector component is independent and can be replaced by alternative means. Other methods include giving a link directly to the victim, in which case attack robustness is limited, or injecting code at the ISP or router level if the adversary has such a level of access.

Image source: https://toschprod.files.wordpress.com/2011/11/main_the_middle.jpg