Hello Guyzz!! :D
Today we will learn how to pen test Cross Site Scripting on Android device and how a hacker can exploit an android phone using XSSF(Cross site Scripting) from Kali Linux..
What is Cross site Scripting??
Cross site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
Note : This is only for educational purpose!!
Requirements to perform XSSF:-
1.Kali Linux installed on your machine
2.Cross-Site Scripting Framework Tool( u can find it here https://code.google.com/p/xssf/ )
3.Metasploit framework which comes pre installed in Kali..
4.And an android Phone to run exploits..
Okk thn lets get started…
Step 1: Open the terminal and navigate to /usr/share/metasploit-framework using the below command:
Step 2: Now install xssf framework tool using the following command within the metasploit directory..
svn export http://xssf.googlecode.com/svn/trunk/ XSSF
For screenshot of above step:
The xssf tool already exists in my machine…
Step 3: Navigate to Applications>Kali Linux>Sytem Services>Metasploit>click on community / pro start
And also restart Mysql::Applications>Kali Linux>Sytem Services>MySQL>mysql restart
Now open the new terminal and type msfconsole
Step 4: Now load the xssf framework on a specified port..using the following command::
load xssf Port=80 Uri=/xssf/ Public=true Mode=Verbose
here,I em using Port 80
Now to list the URLs which has to be sent to the victims use the following command;;
Here is the screenshot of all the above:
If u want to exploit a device which is in ur lan u shoud send this url to the victim::
http:// <your lan ip>:80/xssf/test.html
Or,if you want to exploit the device out of lan u should send this url to the victim::
Here::PUBLIC-IP refers to ur external ip..
Use any online IP address service to know you IP like whatsmyipaddress.
To exploit a device out of lan u need to forward ur port whichever u use like if,I wanted to exploit a device out of lan I must forward my port 80..
To know about how to do port forwarding visit this link:: Port Forwarding
Ok,now v we vl continue with exploiting a device in LAN..
Shorten ur url using online url shortner and then send it to the victim so that he/she just clicks on it..
When the victim clicks on the url he/she is said to be exploited..
Here is the screen shot of the victim:
The information of the victim can be known by opening the main log page..
http://<your lan ip>:80/xssf/gui.html?guipage=main
the attacker should use this page evn though he is exploiting a device out of lan to gather information about the victim..
The sample screen shot of log page is given below:
Now tha the victim is exploited we can use the auxiliary to steal files frm the device or to steel the cookies,to send alert messages,etc…
Here I we will send an alert message to the victim saying that its an XSSF Attack!!
First search for the auxiliary u want to use using the following command::
Here is the screenshots of auxiliaries:
I vl b using the auxiliary highlighted on the screen shot to send the alert message to the victim..
The auxiliary can be used as follows::
Use auxiliary/xssf/public/misc/alert [hit enter]
Now type:: show options [hit enter]
U can set the alert message u want using set AlertMessage command
Here is the screenshot:
To run the auxiliary just type run and hit enter..
The victim will be displayed with alert message on his screen,as shown
The log page will also be updated upon the types of auxiliaries u run on victims device, as shown below:
Note: If you use a auxiliary which can steal files from victim’s device, the file can be downloaded from the above log page when exploited successfully!!
So try this stuff n enjoy!!
Have a good day!!
Tutorial by: Kartik Durg
Thank u.. ;)