Exploit Pack includes as part of its core features an XSS Channel. This is basically an interactive communication between two or more systems that are carried out by an XSS attack or by direct modification of the targeted website.
At a technical level, it is a type of AJAX application that can obtain commands, send responses back and is able to talk cross-domain. The XSS Shell is a tool that can be used to set up an XSS Channel between a victim and an attacker so that an attacker can take control of the victim's browser by sending it arbitrary commands.
An example of injection would be:
How to use it? On the left side of the screen go to Utilities tab and then Remote Control, now select "Agent-XSS". On the Editor, you will see the code to be executed into the victim's browser once triggered. You should change the value in the code from "http://127.0.0.1:8000/agent/;" for the IP address that you want to trick, for example, if you want to use something else than localhost let's say a class C like 192.168.0.1 as a server, you will have with something like "http://192.168.0.1/agent/"; so when the XSS gets executed it will know where to find the server.
How to conduct a real attack during a pentest?
Once you are ready select all and copy it into a file like '"exploitpack.js" and host it on your desired website.
Host this file on a web server of your choice or serve it using Exploit Pack.
Trigger the victim to execute this JS through an XSS injection or by the modification of the targeted website.
Once the victim has executed this JS you will see under the "Connection list" your new agents being deployed.
Below you will see a list of useful commands you can use with any of those agents, these commands can be chained so you can execute more than one at the same time.
// Dialog(message) - To display a Dialog and receive the answer// GetCredentials(credentials) - Collect user's credentials// GetSession() - Get user's sessions// Freeze() - Infinite loop the remote browser// PersistAggresive() - Persist the session on the remote browser// redirectSite(url) - Redirect the user to the desired URL// execJS(code) - Execute your JS on inside a script tag// monster() - Call the Cookie monster on the user's browser// tabKiller() - Kill the current tab ( Firefox, Chrome )// PersistOnClick() - Persist the agent on an OnClick event// jokeImages() - Make spin the images of the open pages// protectMySite() - Activate the keylogging function and block XSS and SQLi attempts// xssProtect() - Activate the XSS client-side protection on the desired browser// sqlProtect() - Activate the SQLi client-side protection on the desired browser// banIP(ip) - Add the desired IP/Hostname to your blacklist// addIPtoBanList() - Add the current IP/Hostname to your blacklist// antiCopyPaste() - Prevent the remote user of copy/paste the page// noCTRL() - Deactivate the CTRL functions// scanEngine(host) - Launch a discover scan from the remote browser// portScanner(host) - Launch a portscan from the remote browser to a specific host// launchWindow(id) - Create a new windows with the specified height, width// exploitThis(exploitName) - Execute an exploit ( Browser ) from the agent// scanForThreats() - Discover remote plugins and useful information for testing// Plugins() - Obtains a list of running plugins on the remote host// ScreenSize() - Calculate and retrieve current Window size
QUICK DEMO In order to see how it works before deploying it into your testing environment, you can deploy an agent in your local machine, on the top-side of the screen click on the "Browser" button (you can also find it in the Red Team tab under network connectivity as "Browser shell") this will pop-up a browser window that has already included the XSS agent into it, once it's triggered you will see the connection back in the Exploit Pack console.
You can try all the options and commands provided for your basic attacks, but you can also add to that code anything you want in JS, it will be automatically added and executed into the victim's browser.