A man-in-the-middle attack, or MitM attack, is when a hacker gets on a network and forces all nearby devices to connect to their machine directly. This lets them spy on traffic and even modify certain things. Bettercap is one tool that can be used for these types of MitM attacks, but Xerosploit can automate high-level functions that would normally take more configuration work in Bettercap.
Xerosploit rides on top of a few other tools, namely, Bettercap and Nmap, automating them to the extent that you can accomplish these higher-level concepts in just a couple of commands.
However, Xerosploit can be hit or miss, so don’t be surprised if some webpages can’t be spoofed because the target is using HTTPS or funneling traffic through a VPN. Considering 73% of all websites use HTTPS, you’ll only have success manipulating webpages on the remaining 27%, and only if no VPN is being used.
- Don’t Miss: How to Flip Photos, Change Images & Inject Messages into Friends’ Browsers on Your Wi-Fi Network
Some sites can still be accessed via HTTP because they aren’t redirecting insecure requests to HTTPS, and some don’t even have secure versions yet. Here is a small sample, but there are many more in that 27%:
- alternativenation.net
- baidu.com
- bu.edu
- drudgereport.com
- gnu.org
- go.com
- icio.us
- myshopify.com
- washington.edu
- weevil.info
- wikidot.com
What’s Needed
We’ve only tested Xerosploit out on Ubuntu and Kali Linux, but it may work on macOS. However, you can only select between “Ubuntu / Kali Linux / Others” and “Parrot OS” during the installation process.
You’ll also need the latest version of Python installed on your computer.
Step 1 – Install Xerosploit
First, install Xerosploit off GitHub using git clone.
Then, change into its directory (cd) and start the installer using Python. It will ask you to select your operating system; if using Kali Linux, choose 1 and hit enter.
Step 2Install the Dependencies
For Xerosploit to do its job correctly, you’ll need all of the tools that it built its service on top of, including Nmap, hping3, build-essential, ruby-dev, libpcap-dev, and libgmp3-dev. If you’re using Kali, you probably already have all of these.
And use Python to install tabulate and terminaltables, which will let Xerosploit display information to you in an easy-to-read way. You likely already have these tools too.
Step 3View Xerosploit’s Commands
Start Xerosploit with the xerosploit command. Right away, it will show you information on your network configuration.
Type help to see all of the commands available in Xerosploit.
Step 4Run a Scan to Identify Targets
First, we’ll do some recon to identify a target by running the scan command, which runs on top of Nmap.
You should see a list of IP addresses returned, and if all went well, one of those IP addresses would be the one you want to target. So, type in the IP address of the device you want to target. For me, it’s the “kunshan” device.
Now, it will ask you which module you want to run against the target. If you don’t know the module you want, type help to see a complete list.
Step 5Shake the Target’s Web Browser
Out of all the modules, the most simple one to run is move, which will shake the web browser on the target computer. This helps verify that we have access to the target, or at least, that we can manipulate their connection.
- Don’t Miss: How to Target Bluetooth Devices with Bettercap
To start the Shakescreen effect, use run, which will begin injecting JavaScript code into the browser whenever the target visits a website. But remember, it will only work on webpages that use HTTP and not HTTPS.
So as soon as they open an HTTP webpage, the page should start shaking uncontrollably. At first, the target might think something was wrong with their display until they noticed that the browser window itself and everything behind it are not vibrating. Then they might think their internet is having issues.
!https://i.giphy.com/o5OUQmB5sWVNrHnpa7.gif
This will keep happening on every HTTP webpage they visit until you stop the attack with Control-C in the terminal.
Step 6Replace All Images in the Target’s Browser
Now, let’s test out another module. To return to the module selection screen, type back and enter.
Xerosploit has a fun attack tool called replace that will let us swap out all of the images loading on an HTTP-based webpage with any picture that we want.
To start the Image Replace tool, type run, and it will immediately ask you to add the picture’s path.
Find an image on your computer, then either type out the path or drag-and-drop the image into the terminal window to auto-populate it. Hit enter to start the attack.
Whenever an HTTP-based webpage loads on the target browser, all of its images will be replaced with the one image we chose. It doesn’t always work 100%, so a few images may slip by unchanged, and it can be a little slow depending on the connection speed, but in general, it works pretty well.
!https://i.giphy.com/2jB5jZSY85jfKV3kw8.gif
This will continue to happen on every HTTP page until you stop the attack.
Step 7Capture Data Over the Network
Let’s try another module. To return to the module selection screen, type back and enter.
With the sniff module, we can capture some general data over the network.
Once the Sniffing tool is selected, type run to begin sniffing. It will then ask you if you want to load sslstrip, which will attempt to downgrade traffic so that we can pick up some interesting information that we might otherwise lose.
A new window should open to show all of the packets being intercepted and saved to your computer. In the window, you can easily see which websites the target is visiting and what data is being requested and sent.
!https://i.giphy.com/hjtEyhhlFQslZlrjxa.gif
When you’re done sniffing packets, you can stop the attack with Control-C on your keyboard. Then, you’ll be asked if you want to save the logs or not. Use Y for yes, N for no.
Step 8View All Images Loaded in the Target’s Browser
Let’s try another module. To return to the module selection screen, type back and enter.
Enter driftnet, which is a tool that lets you view every single image that is requested by the target’s browser, then run it. It will then start logging all pictures seen on HTTP webpages from the target browser and save them to the /opt/xerosploit/xedriftnet folder.
When ready to check out the treasure chest of goodies, open a separate terminal window, then change into the “xedriftnet” folder. You can list (ls) its contents then to see what was captured.
Step 9Run the DNS Spoofing Module on a Target
If you want to re-route traffic to a specific IP address, the dspoof module can help. But first, you’ll want to create a fake website to redirect others to on the network. So, visit a website you want to copy, save its HTML file, and rename it “index.html.”
Next, open a separate terminal window and navigate to the same folder as the index.html file. Run the following command to create a local version of the webpage, changing the YOUR_IP part to the IP address of your machine.
~$ sudo python3 -m http.server --bind YOUR_IP 80
Then, return to the terminal window with Xerosploit, and run the dspoof command. But first, return to the module selection screen. Then, open and run the DNS spoofing tool.
When asked, give your IP address as the address to redirect traffic to. All webpages that load will be the page you cloned!
Step 10Try Out Its Other Modules
The other modules you can try out include the following, some of which are pretty fun to test out.
- yplay: Play a YouTube video in the background of browsers.
- injectjs: Inject JavaScript into websites loaded by others on the network.
- injecthtml: Inject HTML instead into websites loaded on the network.
- dos: Deny internet access to that IP address.
- pscan: Run a port scan.
- ping: Ping a device.
- rdownload: Replace files being downloaded with your own.
- deface: Swap out every webpage with your own HTML.
Xerosploit is a vivid example of why you need to be careful of connecting to an unknown network. While a VPN can protect you in most cases, there are still ways an attacker can manipulate your traffic. So make sure to take as many precautions as possible, like utilizing a VPN, any time you’re not sure about the security of the network you’re about to connect to.
Conclusion
Xerosploit is a powerful tool for performing advanced man-in-the-middle attacks, automating complex tasks and providing hackers with the ability to intercept and manipulate network traffic. However, it’s essential to use such tools responsibly and ethically, as unauthorized use can lead to serious legal consequences.
FAQs
Is Xerosploit legal to use?
Xerosploit itself is not illegal, but using it for unauthorized activities or without permission can violate laws related to computer misuse and privacy.
Can Xerosploit bypass HTTPS encryption?
Xerosploit can’t directly bypass HTTPS encryption, but it can intercept unencrypted traffic and manipulate it before it’s encrypted.
Is Xerosploit difficult to learn for beginners?
Xerosploit has a learning curve, especially for beginners. It requires a solid understanding of networking concepts and familiarity with command-line interfaces.
What precautions should I take when using Xerosploit?
Always use Xerosploit in a controlled environment, such as a testing lab, and never target systems without explicit permission. Additionally, use VPNs and encryption to protect your own network traffic.
Can Xerosploit be detected by antivirus software?
Xerosploit’s activities may trigger alerts from antivirus software, especially if used inappropriately. Employing stealth techniques and avoiding detection is crucial when conducting MitM attacks.
