Session Hijacking Visual Exploitation

Session Hijacking Visual Exploitation is a tool that allows for the hijacking of user sessions by injecting malicious JavaScript code.

Installation

Prerequisites

To run Session Hijacking Visual Exploitation, you will need to have the following software installed:

• Node.js (version 19.0.0 is recommended due to compatibility issues with newer versions)
• npm
• nvm (Node Version Manager, recommended for easily switching between Node.js versions)

Server Installation

To install the server, follow these steps:

1. Clone the repository from GitHub:

git clone [email protected]:doyensec/Session-Hijacking-Visual-Exploitation.git

2. Navigate to the server directory:

cd Session-Hijacking-Visual-Exploitation/server

3. Install the server dependencies:

npm install

Client Installation

Session Hijacking Visual Exploitation provides pre-compiled client applications, which you can download directly from the GitHub releases. If you want to compile the application yourself or develop further, follow these steps:

Direct Download:

1. Go to the Releases section of the GitHub repository.
2. Download the suitable package for your OS.
3. Install the application as you would with any other software on your OS.

Compile & Build Using Electron Builder:

1. Clone the repository:

   git clone [email protected]:doyensec/Session-Hijacking-Visual-Exploitation.git

2. Navigate to the client directory:

   cd Session-Hijacking-Visual-Exploitation/client

3. Install client dependencies:

   npm install

4. Build the application for your OS:

   npm run pack

This will generate executable files for your Operative System. The resulting files will be in the dist directory.

Node.js Version Recommendation

Due to compatibility issues with recent Node.js versions, we recommend using Node.js version 19.0.0. You can easily switch to this version using nvm:

1. Install nvm by following the instructions here.

2. After installing nvm, install and use Node.js version 19.0.0:

nvm install
nvm use

With the above commands, your terminal session will now be using Node.js version 19.0.0.

Usage

To use Session Hijacking Visual Exploitation, follow these steps:

1. Start the server:

cd Session-Hijacking-Visual-Exploitation/server

npm start

The first time the server starts, it will require an initial setup. Follow the provided steps for configuration

2. Start the client:

3. Log in with the previously created user (it will be required during the configuration)

4. On the client, use the button to download the certificate and install it

5. Inject the malicious JavaScript in the browser (You can obtain the script in the payloads page)

Configuration

We provide several options for configuration:

• npm run createUser: Create a new user
• npm run regenerateToken: Regenerate the token used for JWT signatures
• npm run setConfig: Establish server ports and specify whether SSL will be used. If SSL is to be used, add the privateKey.pem and certificate.pem files to the files directory

Modes

On the tool you will notice there are two different modes:

1. Interactive: It will allow you to access to the different websites using the victim browser's security context
2. Visual: It will show you what the victim is seing and doing in the hooked browser

Templates

After starting the server and the client, you have the ability to utilize templates for advanced exploitation:

• Office Document Templates: By uploading templates with the extensions .docm, .pptm, or .xslm, the tool will search for URLs pointing to Word, Excel, or PowerPoint documents. Upon finding them, it downloads the documents, injects the macros from the uploaded templates, and alters the download URL. Consequently, users will download the original document injected with the specified macros. You can view these office documents by clicking on the 'List Files' button.

• HTML Template for CORS Exploitation: If you upload an HTML template, it's primarily used to exploit CORS misconfigurations. Under /connect, the uploaded HTML content will be displayed, also injecting the malicious JS. This results in a new client that can be used interactively with sites vulnerable due to improper CORS configurations.

Screenshots