Tuesday, 30 September 2014

Kali NetHunter - part 4

To quote Eric T Cartman "Beefcake.. BEEFCAKE!!!"

Today's quick look was on BeEF project. Happy days! On through the kalimenu to the Exploitation tools [6] and then Beef-XSS [2] which ... start the service and waits 8 secs! Hmm...

Small parenthesis at menu [6] the option 0 exits kalimenu and does NOT "Exit to main menu" as it says" if you edit /usr/bin/kalimenu and add on line 308
0) f_interface ;;
it does what its supposed to :) since you are at it you can add the same on line 238 for menu [4] (this will probably be fixed soon.

The big positive with Beef-XSS though was performance, because its so lightweight it is perfect to run in such a device, all in all very good experience :)

Now the goblins that feed the OCD in my head will tell you that the Beef-XSS menu is not really for kalimenu... it belongs in the local webserver with the rest of the services... because thats what it is. So lets allow the goblins do what they do best :)

The file we want to change is /sdcard/htdocs/includes/kaliservices.php but we will need a script before hand so.. We need some new scripts to start and stop the service so we will create them in /sdcard and then transfer them in their right place under /system/xbin/ (which is ro in the chroot).

Open the Terminal App and su to root (not in Kali you should see root@grouper:/ #) Make sure that kali is down first
killkali
mount -o remount,rw /system
cp -p /system/xbin/check-kalissh /sdcard/check-kalibeef-xss
cp -p /system/xbin/start-ssh /sdcard/start-beef-xss
cp -p /system/xbin/stop-ssh /sdcard/stop-beef-xss
/sdcard/check-kalibeef-xss should contain:
if [[ -n $(ps |grep ruby|grep 104) ]]; then
    echo "1"
else
    echo "0"
fi
the contents of  /sdcard/start-beef-xss
chroot /data/local/kali-armhf /bin/bash -c "chmod 777 /dev/null"
chroot /data/local/kali-armhf /bin/bash -c "/etc/init.d/beef-xss start"
sleep 35
am start -a android.intent.action.VIEW -d http://127.0.0.1:3000/ui/panel
and /sdcard/stop-beef-xss
chroot /data/local/kali-armhf /bin/bash -c "chmod 777 /dev/null"
chroot /data/local/kali-armhf /bin/bash -c "/etc/init.d/beef-xss stop"
Like good citizens we  remount /system to ro and boot kali
mount -o remount,ro /system
bootkali
We now edit the kaliservices.php (via a kali terminal or ssh or whatever) file to add in the top services section
$kaliBeefXSSStatus             = shell_exec('sh /system/xbin/check-kalibeef-xss') == 0 ?       ' not-running'  :       '';
The above command so far has generated a "syntax error, unexpected '=' " but until I figure it out it can be ommited

At the end before the closing </form> we add:
              <div class="form-group">
                <label class="col-sm-2 control-label">Kali Beef-XSS</label>
                <div class="col-sm-6">
                                        <input class="switch startkalibeef-xss" id="startkalibeef-xss" type="checkbox" data-on-color="success" data-off-color="danger" <?php if ( $kaliBeefXSSStatus !=  ' not-running' ) echo 'checked'; ?>>
                                        <div id="kalibeef-xssmessage"></div>
                </div>
              </div>


Now the last part is in /sdcard/htdocs/actions.php were we need to add(need to add it in the end above the "default:" line:

        case 'startkalibeef-xss';
        $o = shell_exec('start-beef-xss');
        $res = array('status' => 100, 'message' => 'Beef-XSS starting. Wait for it...');
        break;
        case 'stopkalibeef-xss';
        $o = shell_exec('stop-beef-xss');
        $res = array('status' => 100, 'message' => 'Beef-XSS stopped.');
        break;


And there you go... now the goblins can rest for a while :)