Pastejacking -- Exploiting Remote Machines

In today's detailed tutorial we are going to learn a dangerous exploitation called pastejacking.

In this article we learn
  • What is pastejacking.
  • How to avoid pastejacking.
  • Practical of pastejacking in our Kali Linux.

What is pastejacking ?

 Pastejacking is a dangerous attack technique with the help of this attacker can control victim's clipboard and paste malicious codes in targeted machine, then attacker get control victim's machine.

pastejacking and pastejacker in kali linux 2020

Pastejacking or clipboard hijacking is a method that malicious websites use to gain control of the clipboard on victim's computer and change that content into malicious content without victim's knowledge. Pastejacking is an exploit in which a person's clipboard's content is replaced by malicious lines, like a link to malicious web server, malicious code or commands.

Example: User surfing web and he got some useful command for him. The command is copied by the user, but if it is a pastejacking then the user not copied the normal looking useful command. User even don't know that he have copied some malicious command in the place of the normal looking useful command.

When he paste and run the the command in Linux terminal or Windows powershell his machine will be compromised.

How to avoid pastejacking?

Avoiding from this kind of attacks is very easy. We shouldn't copy and paste commands from websites to terminal directly. It is a good practice to type our required commands.

In case if we must need to copy commands from websites we then can copy it, but before pasting it on terminal we should paste it on text editor like notepad, mousepad, leafpad etc.

If it is a pastejacking then in text editor will show us that what command we have pasted. The terminal also can show us but we shouldn't try it on terminal for security reasons.

This is the process to be safe from pastejacking attacks:
  • We should not copy command from websites better type by own
  • For very long commands, before pasting  on terminal or powershell we check the command by paste it on text editor.

How to use pastejacking ?

So basically it can be triggered from websites so, good knowledge in web development can implement this or we can simply use automated scripts like PasteJacker in our Kali Linux machine.

To use the PasteJacker tool we need to clone it from it's GitHub repository by using following command:

git clone https://github.com/D4Vinci/PasteJacker
The following screenshot shows the output of the preceding command:

git clone git clone https://github.com/D4Vinci/PasteJacker

Then we install PasteJacker with the following command:

sudo python3 -m pip install ./PasteJacker
Then it will install all required python packages for PasteJacker tool. This automated script also install PasteJacker tool in our Kali Linux, as we can see in the following screenshot:

installing pastejacker

Then we can run PasteJacker tool anywhere in our terminal by applying command:

sudo pastejacker
After applying the above command PasteJacker tool's main menu will appear as following screenshot:

PasteJacker main menu

Now we can use PasteJacker tool.

The menu shows us two options. If we are going to use against a Windows target then we can go with option 1, for using it against Linux we can choose 2. Here for an example we choose 2 and press enter.

pastejacker menu

Here the first option will create a hidden command that download our and execute our msfvenom payload in victim's system using wget.

The second option will create a reverse connection of victim's computer using netcat.

In the third one we can create our one-liner malicious commands and use it to perform pastejacking.

We can use the first or second option those are also easy and automated, but we are not going to harm anyone so we write a non-malicious one-liner custom pastejacking for just proof of concept. So we choose option 3.

The screenshot is following:

one-liner command for pastejacking

Here we need to type our one line command. We can use any harmful command for Linux users but we have typed an simple command to display a text.

choosing a templet

Here we need to choose a template for pastejacking. Here it have 3 types of pastejacking methods. For our those example we choose option 2 , i.e. pastejacking using javascript.

Then PasteJacker tool will prompt for the port we can leave it blank and press enter because the default port will be 80.

entering text

Here we need to type the text and we need to press enter double time to finish it. This will be the normal looking command, we can type anything to attract victim's attention.

pastejacker tool

PasteJacker tool starts a localhost server in port 80. We open a browser and go to our localhost or 127.0.0.1 and we can see the normal looking command. If we paste and run it will change in to our that one-liner command.

Here we have opened our localhost and copied the command and paste it on mousepad text editor and see what we have got in the following screenshot:

pastejacking example

We can even modify the webpage, and give it to a real life website look. To do that we open a terminal our root user directory:

sudo su
 and then we type cd and enter to go to the root user's directory:

cd
root directory

Then we can modify the html page by using following command:

sudo mousepad .pastejacker/index.html
modifying the HTML

In the above screenshot we can see the locally hosted webpage's html codes. We can modify it is as we want like we have modify it a little bit.

pastejacking

This is how we can do pastejacking on our local network. Now we can use port forwarding using SSH or host our this HTML webpage to any hosting site to use pastejacking attack over the internet. Here is a demo.

So, in this tutorial we have learned about pastejacking. What is it and how to be safe from it. We have also learned how to use it in our Kali Linux system.

Liked out tutorial ? or getting any problem ? Fell free to comment down. We always happy to help. For more tutorials like this follow our website. For quick updates on new tutorials and short news follow us on Twitter and Medium.
Pastejacking -- Exploiting Remote Machines Pastejacking -- Exploiting Remote Machines Reviewed by Kali Linux on April 05, 2020 Rating: 5

2 comments:

  1. Replies
    1. It's not true Check my Seeker tutorial . I have posted it on August 2019, and TechChip makes video about it on April 2020. Actually our field is quite similar. We are inspired from each other. By the way Anil is a good friend of me. I also contribute on his new CamPhish tool.

      Delete

Please do not spam here. It is comment box not a spambox. Promotional links are not allowed.

Powered by Blogger.