In today's detailed tutorial we are going to learn a dangerous exploitation called pastejacking.
In this article we learn
Pastejacking or clipboard hijacking is a method that malicious websites use to gain control of the clipboard on victim's computer and change that content into malicious content without victim's knowledge. Pastejacking is an exploit in which a person's clipboard's content is replaced by malicious lines, like a link to malicious web server, malicious code or commands.
Example: User surfing web and he got some useful command for him. The command is copied by the user, but if it is a pastejacking then the user not copied the normal looking useful command. User even don't know that he have copied some malicious command in the place of the normal looking useful command.
When he paste and run the the command in Linux terminal or Windows powershell his machine will be compromised.
In case if we must need to copy commands from websites we then can copy it, but before pasting it on terminal we should paste it on text editor like notepad, mousepad, leafpad etc.
If it is a pastejacking then in text editor will show us that what command we have pasted. The terminal also can show us but we shouldn't try it on terminal for security reasons.
This is the process to be safe from pastejacking attacks:
To use the PasteJacker tool we need to clone it from it's GitHub repository by using following command:
The following screenshot shows the output of the preceding command:
Then we install PasteJacker with the following command:
Then it will install all required python packages for PasteJacker tool. This automated script also install PasteJacker tool in our Kali Linux, as we can see in the following screenshot:
Then we can run PasteJacker tool anywhere in our terminal by applying command:
After applying the above command PasteJacker tool's main menu will appear as following screenshot:
Now we can use PasteJacker tool.
The menu shows us two options. If we are going to use against a Windows target then we can go with option 1, for using it against Linux we can choose 2. Here for an example we choose 2 and press enter.
Here the first option will create a hidden command that download our and execute our msfvenom payload in victim's system using wget.
The second option will create a reverse connection of victim's computer using netcat.
In the third one we can create our one-liner malicious commands and use it to perform pastejacking.
We can use the first or second option those are also easy and automated, but we are not going to harm anyone so we write a non-malicious one-liner custom pastejacking for just proof of concept. So we choose option 3.
The screenshot is following:
Here we need to type our one line command. We can use any harmful command for Linux users but we have typed an simple command to display a text.
Here we need to choose a template for pastejacking. Here it have 3 types of pastejacking methods. For our those example we choose option 2 , i.e. pastejacking using javascript.
Then PasteJacker tool will prompt for the port we can leave it blank and press enter because the default port will be 80.
Here we need to type the text and we need to press enter double time to finish it. This will be the normal looking command, we can type anything to attract victim's attention.
PasteJacker tool starts a localhost server in port 80. We open a browser and go to our localhost or 127.0.0.1 and we can see the normal looking command. If we paste and run it will change in to our that one-liner command.
Here we have opened our localhost and copied the command and paste it on mousepad text editor and see what we have got in the following screenshot:
We can even modify the webpage, and give it to a real life website look. To do that we open a terminal our root user directory:
and then we type cd and enter to go to the root user's directory:
Then we can modify the html page by using following command:
In the above screenshot we can see the locally hosted webpage's html codes. We can modify it is as we want like we have modify it a little bit.
This is how we can do pastejacking on our local network. Now we can use port forwarding using SSH or host our this HTML webpage to any hosting site to use pastejacking attack over the internet. Here is a demo.
So, in this tutorial we have learned about pastejacking. What is it and how to be safe from it. We have also learned how to use it in our Kali Linux system.
Liked out tutorial ? or getting any problem ? Fell free to comment down. We always happy to help. For more tutorials like this follow our website. For quick updates on new tutorials and short news follow us on Twitter and Medium.
In this article we learn
- What is pastejacking.
- How to avoid pastejacking.
- Practical of pastejacking in our Kali Linux.
What is pastejacking ?
Pastejacking is a dangerous attack technique with the help of this attacker can control victim's clipboard and paste malicious codes in targeted machine, then attacker get control victim's machine.
Pastejacking or clipboard hijacking is a method that malicious websites use to gain control of the clipboard on victim's computer and change that content into malicious content without victim's knowledge. Pastejacking is an exploit in which a person's clipboard's content is replaced by malicious lines, like a link to malicious web server, malicious code or commands.
Example: User surfing web and he got some useful command for him. The command is copied by the user, but if it is a pastejacking then the user not copied the normal looking useful command. User even don't know that he have copied some malicious command in the place of the normal looking useful command.
When he paste and run the the command in Linux terminal or Windows powershell his machine will be compromised.
How to avoid pastejacking?
Avoiding from this kind of attacks is very easy. We shouldn't copy and paste commands from websites to terminal directly. It is a good practice to type our required commands.In case if we must need to copy commands from websites we then can copy it, but before pasting it on terminal we should paste it on text editor like notepad, mousepad, leafpad etc.
If it is a pastejacking then in text editor will show us that what command we have pasted. The terminal also can show us but we shouldn't try it on terminal for security reasons.
This is the process to be safe from pastejacking attacks:
- We should not copy command from websites better type by own
- For very long commands, before pasting on terminal or powershell we check the command by paste it on text editor.
How to use pastejacking ?
So basically it can be triggered from websites so, good knowledge in web development can implement this or we can simply use automated scripts like PasteJacker in our Kali Linux machine.To use the PasteJacker tool we need to clone it from it's GitHub repository by using following command:
The following screenshot shows the output of the preceding command:
Then we install PasteJacker with the following command:
Then it will install all required python packages for PasteJacker tool. This automated script also install PasteJacker tool in our Kali Linux, as we can see in the following screenshot:
Then we can run PasteJacker tool anywhere in our terminal by applying command:
After applying the above command PasteJacker tool's main menu will appear as following screenshot:
Now we can use PasteJacker tool.
The menu shows us two options. If we are going to use against a Windows target then we can go with option 1, for using it against Linux we can choose 2. Here for an example we choose 2 and press enter.
Here the first option will create a hidden command that download our and execute our msfvenom payload in victim's system using wget.
The second option will create a reverse connection of victim's computer using netcat.
In the third one we can create our one-liner malicious commands and use it to perform pastejacking.
We can use the first or second option those are also easy and automated, but we are not going to harm anyone so we write a non-malicious one-liner custom pastejacking for just proof of concept. So we choose option 3.
The screenshot is following:
Here we need to type our one line command. We can use any harmful command for Linux users but we have typed an simple command to display a text.
Here we need to choose a template for pastejacking. Here it have 3 types of pastejacking methods. For our those example we choose option 2 , i.e. pastejacking using javascript.
Then PasteJacker tool will prompt for the port we can leave it blank and press enter because the default port will be 80.
Here we need to type the text and we need to press enter double time to finish it. This will be the normal looking command, we can type anything to attract victim's attention.
PasteJacker tool starts a localhost server in port 80. We open a browser and go to our localhost or 127.0.0.1 and we can see the normal looking command. If we paste and run it will change in to our that one-liner command.
Here we have opened our localhost and copied the command and paste it on mousepad text editor and see what we have got in the following screenshot:
We can even modify the webpage, and give it to a real life website look. To do that we open a terminal our root user directory:
and then we type cd and enter to go to the root user's directory:
Then we can modify the html page by using following command:
In the above screenshot we can see the locally hosted webpage's html codes. We can modify it is as we want like we have modify it a little bit.
This is how we can do pastejacking on our local network. Now we can use port forwarding using SSH or host our this HTML webpage to any hosting site to use pastejacking attack over the internet. Here is a demo.
So, in this tutorial we have learned about pastejacking. What is it and how to be safe from it. We have also learned how to use it in our Kali Linux system.
Liked out tutorial ? or getting any problem ? Fell free to comment down. We always happy to help. For more tutorials like this follow our website. For quick updates on new tutorials and short news follow us on Twitter and Medium.
U are copying Techchip
ReplyDeleteIt's not true Check my Seeker tutorial . I have posted it on August 2019, and TechChip makes video about it on April 2020. Actually our field is quite similar. We are inspired from each other. By the way Anil is a good friend of me. I also contribute on his new CamPhish tool.
Deletecopy can not be right word
Deleteit should be inspired
he may be inspired by TechChip