What is Imposter?

Imposter is a flexible framework to perform Browser Phishing attacks. Once the system running Imposter is configured as the DNS server to the victims, the internal DNS server of Imposter resolves all DNS queries to itself. When the victim tries to access any website the domain resolves to the system running Imposter and Imposter’s internal web server serves content to the victim. Depending on the configuration appropriate payloads are sent to the victim. Data stolen from the victim is sent back to Imposter and this is stored in a SQLite database in a folder created with its name based on the date and time of the attack.

Capabilities:

Imposter can perform the following attacks:

  1. Steal cookies
  2. Set cookies
  3. Steal Local Shared Objects
  4. Steal stored passwords from FireFox
  5. Steal cached files
  6. Poison browser cache
  7. Steal files from the victim’s local file system through Internet Explorer
  8. Run SQL queries on the victim’s Google Gears database and transfer the results
  9. Create ResourceStore and Managed ResourceStore on the victim’s Google Gears LocalServer

For the attacks related to Google Gears, the payload generated by Imposter automatically checks if the victim has installed and permitted Gears. This prevents any pop-up alerts to the user.

General Requirements:
  1. Administrative Rights:
    Reasons:
    • Imposter listens on ports 53/UDP and 80/TCP
    • The 'File Stealer' module runs an internal sniffer
  2. System running Imposter should have the IP address 192.168.1.3
    Reasons:
    • Internal DNS server resolves all domains to 192.168.1.3
  3. WinPcap must be installed on the system

Special requirements for the File Stealer module:
  1. Linux Virtual Machine with IP address 192.168.1.2 configured in 'bridged' networking mode.
  2. A samba network share named 'imp' with anonymous read access on the Linux VM.
  3. This network share should a smbmount of the 'imp' folder that comes along with Imposter.
  4. ‘imp’ folder containing ‘imposter.swf’ must be in the same directory as the Imposter binary

Steps by step set-up instructions:
  1. Share the 'imp' folder in the Imposter directory with name 'imp_win'.
  2. In the Linux VM create a folder '/imp' and map it to the 'imp_win' share with this command:
    mount -t smbfs -o username=<win user name> //192.168.1.3/imp_win /imp
  3. Add the following lines to the ‘smb.conf’ file:
    [imp]
       path = /imp
       read only = yes
       public = yes
  4. Restart the smb service.

Battleground View:

The image below shows how Imposter sits in relation to the victim and how it has to be configured.

Modules:
Attack Centre:

This is the dashboard of Imposter.

  • The ‘Victims’ section will show the list of victims connected to Imposter.
  • The checkboxes specify which attacks Imposter will perform.
  • The ‘Summary’ tab would display information about the stolen data and status updates in real-time.
  • On double-clicking any victim the ‘Stolen Data’ tab will display the data stolen from that victim.

Welcome Page:

This tab contains the HTML of the head and body section of the page that would be displayed to the victim when he connects to Imposter. The iframes to carry out the attack would be automatically added to this HTML by Imposter.

Update Button:

To set a custom welcome page, enter the required HTML and click 'Update'. This custom HTML is stored and read from the 'config' database file. The custom page is stored in the ‘config.s3db’ file. The custom page can include images as well. Refer to the ‘Server content’ section to find out how this can be done.

Reset to default:

This resets the HTML to its default value.

HTTP Cookies:

Imposter can steal as well as set-cookies in the victim’s browser. The URL value would depend on the ‘path’ attribute of the cookie that must be stolen. To set cookie, the key-value pair can be entered in the ‘Set-Cookie’ text box. If more than one key-value pair should be set then each entry should be entered in a new line, Imposter sends a separate ‘Set-Cookie’ header for each entry in a new line.

Flash Cookie:

Flash LSOs can be stolen using Imposer. Flash LSOs have a path attribute which acts as an access control parameter. The URL and LSO path fields should take this in to account. The LSO read from the victim’s browser is stored in an array and the base64 encoded value of this array is sent to Imposter.

Password Stealer:

This module steals the passwords from FireFox’s ‘saved passwords’ repository. The URL of the page which contains the login form and the HTML of that login form should be entered. The HTML can only contain the fields that need to be stolen and other ‘hidden’ fields can be left out. The login form should be on HTTP for this attack to work, however the action attribute can point to a HTTPS page.

File Stealer:

There are special requirements for the file stealer module to function. These are mentioned earlier in the guide. Once it has been set-up properly the full name of the files that must be stolen from the victim’s system are entered here. This is the only module where new entries can be added when Imposter is running and they would immediately be sent to the victim.

Poison Cache:

Imposter can poison the local browser cache. The URL of the file to be cached, its content-type and content should be entered. Currently binary files like Images, flash etc are not supported. The expiry date is set to ‘Expires: Mon, 11 Jan 2011 11:11:11’.

Steal Cache:

Imposter can steal any cached files from the victim’s browser. It currently only supports text based files, so images etc cannot be stolen. Add the entire URL of the cached file that must be stolen.

Steal from Database:

Imposter can run SQL queries on the victim’s Google Gears database. If the query is a ‘SELECT’ query that returns data then this is sent back to Imposter and stored in a SQLite database in the output folder.

The URL of the site, the name of the Google Gears database and the SQL query should be entered in Imposter.

Backdoor Resource Store:

Imposter can create Resource Stores (RS) on the victim’s machine. All properties of the Resource Store must be entered. Only the ‘Required Cookie’ field is optional.

After entering the properties of RS the files should be added one by one before ‘Add’ is clicked. Currently binary files like Images, flash etc are not supported. Each individual file is added using the ‘+’ button. Once all the files have been entered, clicking the ‘Add’ button will add this entry.

Backdoor Managed Resource Store:

Imposter can create Managed Resource Stores (MRS) on the victim’s machine. All properties of the Managed Resource Store must be entered. Only the ‘Required Cookie’ field is optional.

After entering the properties of MRS the files should be added one by one before ‘Add’ is clicked. Currently binary files like Images, flash etc are not supported. Each individual file is added using the ‘+’ button. Once all the files mentioned in the ‘Manifest File’ have been entered, clicking the ‘Add’ button will add this entry.


Serving custom resources:

Imposter can be used as a traditional Web-Server to server static content. To do this, create a directory named ‘www’ in the same folder where Imposter binary is located. This directory serves as the ‘webroot’. When you want to request these files from the browser then ‘?get_from_webserver.file’should be added to the name of the file. This keyword indicates to Imposter that this file should be served from the ‘www’ folder.

For example, if a file named “logo.jpg” is placed inside the webroot directory. Then to refer to it, the HTML should look like this, ‘<img src=”/logo.jpg?get_from_webserver.file”>’.

FAQ:
  1. Does Imposter work on Linux?
    No, currently it only works on Windows. A Mono compatible version might come out in the future.

  2. If similar attacks can work on HTML5 then why isn't Imposter supporting it?
    Simple, no websites are using HTML5's Database and Cache features yet. No databases to steal data from. Like Google Gears the user has to explicitly permit a site to use HTML5's cache . So setting backdoors is out of question because user's would not have permitted any site to use this feature yet. Have patience.

  3. Why does the ‘File Stealer’ module need a Linux VM?
    A share with anonymous read access should be set-up for the file stealing attack to work. I could not set-up one on my Windows system even after a lot of struggle. So I gave up made one in the samba server in one of my Linux VMs. Since users might also have similar problems I stuck to this design.

  4. Imposter does not seem to work, how do I troubleshoot?
    • Check if the dlls of ‘SharPcap’ and ‘System.Data.SQLite’ are present in the same directory as the Imposter binary.
    • Check if the IP addresses of the systems and DHCP setting in the Access Point are properly set as explained in the guide.
    • Check if the ‘lso.swf’ file is in the same directory as the Imposter binary.
    • Check if the ‘imp’ directory is present in the same directory and is properly set-up as explained. (‘File Stealer’ module only)
    • If you have set a custom welcome page referencing any resources, check if they are present in the ‘www’ directory.
  5. Sometimes Imposter shows me a blank page instead of the ‘welcome page’ with iframes, why?
    • Imposter sends the initial page with the payloads only for the very first request that comes from victim. For all other requests Imposter returns a ‘200 OK’ response with no body. Sometimes you might have your browser open with some open pages before connecting to the attacker’s Wifi. Then the first request could be made by an Ajax call of a page that is already open, so when you open a new tab and request a site a blank page is shown.
    • To prevent the page with the payload being sent to HTTP requests that are sent by other software, Imposter only sends the payload to requests with the ‘User-Agent’ header containing one of the following keywords:
      • MSIE
      • Firefox
      • Opera
      • Chrome
  6. Imposter works for most victims but when some victims connect the attacks don’t work, why?
    • The victim could be having a proxy configured on his browser
    • The victim’s browser might have already resolved the IP address of a domain before connecting to the attacker’s network.
    • Reasons explained in the earlier section
  7. File stealing attack does not work against certains machines, why?
    There could be different reasons for this. If the machine is part of a domain then this attack does not work. Because then the user is given a authentication prompt when connecting to shares that are not part of his domain.

  8. Does Imposter send any data outside of my machine?
    No, Imposter only listens for inbound connections, no outbound connection is made except one. When Imposter is started it makes a single request to ‘http://www.andlabs.org/tools/imposter/version.txt‘, to check for newer versions of Imposter.

  9. Why doesn’t Imposter come with preloaded configuration to attack popular sites?
    Imposter is deliberately provided with no preloaded configuration. This is to prevent abuse of this tool by script kiddies. Though the tool is very easy to use, the attacker must have a good understanding of the attacks and the technologies to configure it effectively.

  10. Who do I contact if have (questions | ideas | suggestions | comments | critisicm | feedback)?
    My email ID is here. I would love to hear from you.