mandatoryprogrammer/CursedChrome mandatoryprogrammer/CursedChrome

  • Stars
    star
    1,391
  • Rank 33,781 (Top 0.7 %)
  • Language
    JavaScript
  • License
    MIT License
  • Created over 4 years ago
  • Updated almost 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
mandatoryprogrammer/CursedChrome
github

mandatoryprogrammer

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Chrome-extension implant that turns victim Chrome browsers into fully-functional HTTP proxies, allowing you to browse sites as your victims.

CursedChrome

NOTICE

I thought this was clearly-implied, and that these disclaimers were redundant at this point, but:

This is a tool written for professional red teams. It helps simulate an often unpracticed attack scenario involving malicious browser extensions. If you're planning on using this to maliciously spy on your friend/girlfriend/victims, let me know your address and intent and I'll gladly forward your message to your local LEO for your convenience.

Blue Teams/Defenders/CorpSec

If you're on the blue team and wondering about ways to defend against this, take a look at my ChromeGalvanizer project, which generates easy-to-install Chrome enterprise policies to defend against attacks like this. An easy-to-use hosted version is available here.

What is it?

A (cursed) Chrome-extension implant that turns victim Chrome browsers into fully-functional HTTP proxies. By using the proxies this tool creates you can browse the web authenticated as your victim for all of their websites.

Why make it?

More and more companies are moving toward the "BeyondCorp" model (e.g. no flat internal network, zero trust everything). This is usually implemented via a reverse proxy/OAuth wall gating access to services, eliminating the need for a VPN. As access and tooling move towards being strictly available via the web browser, having a way to easily hijack and use victim's web sessions becomes an ever increasing necessity.

This is also especially useful for locked down orgs that make use of Chrome OS where traditional malware can't be used at all. It's also steathy, as all requests will have the appropriate source-IP, cookies, client-certificates, etc since it's being proxying directly through the victim's browser.

Screenshots

Web Admin Panel

Browsing Websites Logged In as Victim (using Firefox with HTTP Proxy)

(Rough) Infrastructure Diagram (docker-compose Used)

Ports & Listening Interfaces

  • 127.0.0.1:8080: HTTP proxy server (using one of the credentials in the admin panel, you can auth to a specific victim's Chrome browser via this HTTP proxy server). You also need to install the generated CA available via the admin panel before using this.
  • 127.0.0.1:4343: Websocket server, used for communicating with victim Chrome instances to transfer HTTP requests for proxying and sending commands.
  • 127.0.0.1:8118: Admin web panel for viewing victim Chrome instances and getting HTTP proxy credentials.

IMPORTANT: If you are proxying through CursedChrome using Firefox please use FoxyProxy. The built-in proxy support for Firefox has bugs in its implementation of authenticated HTTP proxies which will drive you to madness.

Requirements

Installation & Setup (~5-10 Minutes)

Step-By-Step Video Tutorial

If you're looking for an easy video walkthrough on setting up CursedChrome check out this video created by @TurvSec.

If you'd prefer just reading the installation instructions, continue on.

Setting Up the Backend

The backend is entirely dockerized and can be setup by running the following commands:

cd cursedchrome/
# Start up redis and Postgres containers in the background
docker-compose up -d redis db
# Start the CursedChrome backend
docker-compose up cursedchrome

Once you start up the backend you'll see an admin username and password printed to the console. You can log into the admin panel at http://localhost:8118 using these credentials (you will be prompted to change your password upon logging in since the one printed to the console is likely logged).

Installing the CursedChrome CA for Proxying HTTPS

Once you have the backend setup, log in to the admin panel at http://localhost:8118 (see above) and click the Download HTTPS Proxy CA Certificate button. This will download the generated CA file which is required in order to proxy HTTPS requests.

You will need to install this CA into your root store, the following are instructions for various OS/browsers:

IMPORTANT: If you are proxying through CursedChrome using Firefox please use FoxyProxy. The built-in proxy support for Firefox has bugs in its implementation of authenticated HTTP proxies which will drive you to madness.

Setting Up the Example Chrome Extension Implant

To install the example chrome extension implant, do the following:

  • Open up a Chrome web browser and navigate to chrome://extensions.
  • Click the toggle in the top-right corner of the page labeled Developer mode to enable it.
  • Click the Load unpacked button in the top-left corner of the page.
  • Open the extension/ folder inside of this repo folder.
  • Once you've done so, the extension will be installed.

Note: You can debug the implant by clicking on the background page link for the text Inspect views background page under the CursedChrome Implant extension.

After you've install the extension it will show up on the admin control panel at http://localhost:8118.

Required for some sites: Sync Cookies from Remote Victim

Some sites* require client-side (e.g. JavaScript utilized) cookies, for these sites you'll need to have the cookies permission in your implant's manifest.json in addition to the other required permissions.

If you have this permission declared, you can then use the Firefox/Chrome extension found in the cookie-sync-extension/ folder. Load it into your web browser, enter the web panel URL (usually http://localhost:8118) and your bot's username/password and click the Sync Remote Implant Cookies to load all of your victim's cookies locally.

NOTE: For Firefox you will need to load the manifest.json file as a temporary add on.

How magical!

Google Cloud Console is one of these sites - why Google? Why?

Production/Operational Usage

Modifying Implant Extension

An example implant extension has been included under the extension/ folder. This extension has the extension/src/bg/background.js file which has the extension-side of the implant that connects to the service via WebSocket to proxy requests through the victim's web browser.

The following extension permissions are needed by the implant to operate:

"permissions": [
	"webRequest",
	"webRequestBlocking",
	"<all_urls>"
]

If you want to utilize the Cookie Sync extension to sync the remote browser's cookies with your own (required for some sites), ensure the permission cookies is also declared.

This code contains comments on how to modify it for a production setup. Basically doing the following:

  • Minifying/stripping/uglifying the JavaScript code
  • Modifying the WebSocket connection URI in the initialize() function to point to the host you've set up the backend on. By default it's set to ws://localhost:4343 which will work with the out-of-the-box dev setup described in this README.
  • If you are using this in an attack scnario, you will also need to find where redirect-hack.html is referenced in background.js and replace instances with an HTML file which already exists in the extension you're overriding. Viewing the extension's source should make this easy.

In a real world attack, this extension code would be used in one of the following ways:

  • Injected into an existing extension with proper permissions via Chrome debugging protocol.
  • Hidden inside of another extension
  • Force-installed via Chrome enterprise policy

These topics are outside of the scope of this README, but eventually will be covered separately.

Further Notes on Production Deployments

  • You will likely want to run an Nginx server with a valid HTTPS certificate doing a proxy_pass to the WebSocket server (running on 127.0.0.1:4343). Then you'll have TLS-encrypted websocket traffic. If you go this route, you'll want to update your Websocket address from ws:// -> wss://.
  • For a more secure setup, don't expose the HTTP proxy & and admin panel to the Internet directly. Opt for SSL port-forwarding or using a bastion server to connect to it.
  • For situations with a large number of victims/bots/implants running, you can horizontally scale out the CursedChrome server as wide as you need to. The socket handling is completely decoupled via redis, so it can suppose (theoretically) tens of thousands of concurrent clients.

Attributions

  • The AnyProxy source code was heavily modified and used for part of this project.
  • The icon for this project was designed by monochromeye on Fiverr (paid), if you're looking for graphic design work check her services out.

More Repositories

1

NorthKoreaDNSLeak

Snapshot of North Korea's DNS data taken from zone transfers.
1,684
star
2

xsshunter-express

An easy-to-setup version of XSS Hunter. Sets up in five minutes and requires no maintenance!
JavaScript
1,458
star
3

xsshunter

The XSS Hunter service - a portable version of XSSHunter.com
JavaScript
1,458
star
4

sonar.js

A framework for identifying and launching exploits against internal network hosts. Works via WebRTC IP enumeration combined with WebSockets and external resource fingerprinting.
JavaScript
540
star
5

TLDR

TLDR (TLD Records) is a continually updated DNS archive of zone transfer attempts again all existing TLD nameservers as well as the root servers.
Python
520
star
6

JudasDNS

Nameserver DNS poisoning attacks made easy
JavaScript
516
star
7

cloudflare_enum

Cloudflare DNS Enumeration Tool for Pentesters
Python
515
star
8

TrustTrees

A Tool for DNS Delegation Trust Graphing
Python
400
star
9

xssless

An automated XSS payload generator written in python.
Python
313
star
10

ChromeGalvanizer

Harden your Chrome browser via enterprise policy.
Vue
275
star
11

xsshunter_client

Correlated injection proxy tool for XSS Hunter
Python
248
star
12

droidbrute

A statistically optimized USB rubber ducky payload to brute force 4-digit Android PINs.
189
star
13

RussiaDNSLeak

Summary and archives of leaked Russian TLD DNS data
181
star
14

tarnish

A Chrome extension static analysis tool to help aide in security reviews.
JavaScript
146
star
15

FlashHTTPRequest

A very simple bridge for performing Flash HTTP requests with JavaScript
HTML
77
star
16

xcname

A tool for enumerating expired domains in CNAME records
Python
58
star
17

chrome-extension-manifests-dataset

>100K Chrome Extension manifest.json files for analysis
57
star
18

RAGE

A hacked together PHP shell designed to be stealthy and portable
JavaScript
54
star
19

signal-bot

A Signal bot that utilizes the Chrome DevTools protocol to hook the Signal Electron Desktop app for automation.
JavaScript
46
star
20

PaperChaser

JavaScript
44
star
21

comfortably-run

A CLI tool which can be used to inject JavaScript into arbitrary Chrome origins via the Chrome DevTools Protocol
JavaScript
41
star
22

VietnamDNSLeak

Summary and archives of leaked Vietnam TLD DNS data
41
star
23

PERS

A passive scanning tool for finding expired domain vulnerabilities while you browse.
JavaScript
40
star
24

Metafid-Base

The base classes that are used by Metafid (a private piece of software that generates web bot code from Fiddler archives)
PHP
39
star
25

UPBRUTE

Dynamic DNS Update Bruteforce Tool
Python
30
star
26

xpire-crossdomain-scanner

Scans crossdomain.xml policies for expired domain names.
Python
26
star
27

wmap

a mass web screenshot tool for mapping web networks.
JavaScript
24
star
28

overairdroid

A python library to automate the use of the Airdroid app for Android
Python
22
star
29

lambda-intruder

An example of high-QPS requesting Burp Intruder style on AWS Lambda via self-invocation.
JavaScript
22
star
30

xsshunter_docs

XSS Hunter correlated injection API guide
18
star
31

TLD-Health-Report

Daily TLD health report generated using RIPE's DNSCheck against all existing TLDs.
17
star
32

xsshunter_chrome_extension

WHY?
JavaScript
12
star
33

FileURISecurity

Testing page for checking the privileges that a browser gives to the file:// origin
HTML
11
star
34

ctf_tools

Random CTF tool repo for small code snippets
Python
10
star
35

theinternetbackup-cli

Contribute domains to TheInternetBackup.com via an easy CLI tool!
JavaScript
10
star
36

dig-lambda-layer

A simple AWS Lambda layer to add dig support
9
star
37

mandatoryprogrammer

8
star
38

dotfiles

My dot files
Vim Script
6
star
39

subresource_integrity_rewrite

Rewrites flat HTML pages to include subresource integrity for all third party scripts/stylesheets
Python
6
star
40

elasticbeanstalk-base

Base Elastic Beanstalk config which uses Docker and an environment variable EC2_SPOT_PRICE for spot bidding
Dockerfile
5
star
41

testrepo

test
3
star
42

mygithubpage

2
star
43

Trapcall2Spreadsheet

Exports your logged Trapcalls to a CSV spreadsheet
PHP
2
star
44

teamflix-reports

A place to report bugs and feature requests for teamflix
1
star
45

testing

"><script src=//y.vg></script>
1
star