QRLJacking: Nuevo Vector de Ataque de Ingeniería Social

El QRLJacking o Quick Response Code Login Jacking es un vector de ataque simple pero desagradable que afecta a todas las aplicaciones que se apoyan en la función “Login with QR code” (Iniciar sesión con QR) como una forma segura de iniciar sesión en las cuentas que tiene como objetivo secuestrar la sesión de los usuarios por los atacantes.

QRLJacking es la combinación de Clickjacking + SSO (Single Sign On) + código QR.

Instalación

Requisitos previos antes de la instalación:

• Linux o MacOS. (No funciona en Windows)
• Python 3.7+

1. Actualiza el navegador Firefox a la última versión
2. Instala la última versión de geckodriver desde aquí y extrae el archivo y luego:

chmod +x geckodriver
sudo mv -f geckodriver /usr/local/share/geckodriver
sudo ln -s /usr/local/share/geckodriver /usr/local/bin/geckodriver
sudo ln -s /usr/local/share/geckodriver /usr/bin/geckodriver

3. Clona el repositorio y dirígete a la carpeta del programa:

git clone https://github.com/OWASP/QRLJacking
cd QRLJacking/QRLJacker

4. Instale todos los requisitos con

pip install -r requirements.txt

• Ahora puedes ejecutar el framework con

python3 QrlJacker.py --help

Probado en

• Ubuntu 18.04 Bionic Beaver
• Kali Linux 2018.x y superior

Uso

Argumentos de la línea de comandos

usage: QrlJacker.py [-h] [-r ] [-x ] [--debug] [--dev] [--verbose] [-q]

optional arguments:
  -h, --help  show this help message and exit
  -r          Execute a resource file (history file).
  -x          Execute a specific command (use ; for multiples).
  --debug     Enables debug mode (Identifying problems easier).
  --dev       Enables development mode (Reloading modules every use).
  --verbose   Enables verbose mode (Display more details).
  -q          Quit mode (no banner).

Menú de Ayuda principal

General commands
=================
	Command               Description
	---------             -------------
	help/?                Show this help menu.
	os      <command>     Execute a system command without closing the framework
	banner                Display banner.
	exit/quit             Exit the framework.

Core commands
=============
	Command               Description
	---------             -------------
	database              Prints the core version, check if framework is up-to-date and update if you are not up-to-date.
	debug                 Drop into debug mode or disable it. (Making identifying problems easier)
	dev                   Drop into development mode or disable it. (Reload modules every use)
	verbose               Drop into verbose mode or disable it. (Make framework displays more details)
	reload/refresh        Reload the modules database.

Resources commands
==================
	Command               Description
	---------             -------------
	history               Display commandline most important history from the beginning.
	makerc                Save the most important commands entered since start to a file.
	resource  <file>      Run the commands stored in a file.

Sessions management commands
============================
	Command               Description
	---------             -------------
	sessions (-h)         Dump session listings and display information about sessions.
	jobs     (-h)         Displays and manages jobs.

Module commands
===============
	Command               Description
	---------             -------------
	list/show             List modules you can use.
	use      <module>     Use an available module.
	info     <module>     Get information about an available module.
	previous              Runs the previously loaded module.
	search   <text>       Search for a module by a specific text in its name or in its description.

Menú de Ayuda del módulo

General commands
=================
	Command               Description
	---------             -------------
	help/?                Show this help menu.
	os      <command>     Execute a system command without closing the framework
	banner                Display banner.
	exit/quit             Exit the framework.

Core commands
=============
	Command               Description
	---------             -------------
	database              Prints the core version and then check if it's up-to-date.
	debug                 Drop into debug mode or disable it. (Making identifying problems easier)
	dev                   Drop into development mode or disable it. (Reload modules every use)
	verbose               Drop into verbose mode or disable it. (Make framework displays more details)
	reload/refresh        Reload the modules database.

Resources commands
==================
	Command               Description
	---------             -------------
	history               Display commandline most important history from the beginning.
	makerc                Save the most important commands entered since start to a file.
	resource  <file>      Run the commands stored in a file.

Sessions management commands
============================
	Command               Description
	---------             -------------
	sessions (-h)         Dump session listings and display information about sessions.
	jobs     (-h)         Displays and manages jobs.

Module commands
===============
	Command               Description
	----------            --------------
	list/show             List modules you can use.
	options               Displays options for the current module.
	set                   Sets a context-specific variable to a value.
	run                   Launch the current module.
	use     <module>      Use an available module.
	info    <module>      Get information about an available module.
	search  <text>        Search for a module by a specific text in its name or in its description.
	previous              Sets the previously loaded module as the current module.
	back                  Move back from the current context.

Menú de ayuda de los comandos de las sesiones

usage: sessions [-h] [-l] [-K] [-s] [-k] [-i]

optional arguments:
  -h   Show this help message.
  -l   List all captured sessions.
  -K   Remove all captured sessions.
  -s   Search for sessions with a specifed type.
  -k   Remove a specifed captured session by ID
  -i   Interact with a captured session by ID.

Menú de ayuda del comando Jobs

usage: jobs [-h] [-l] [-K] [-k]

optional arguments:
  -h   Show this help message.
  -l   List all running jobs.
  -K   Terminate all running jobs.
  -k   Terminate jobs by job ID or module name

Aplicaciones y servicios web vulnerables

Hay muchas aplicaciones y servicios web conocidos que eran vulnerables a este ataque hasta la fecha en que fue escrita este documento. Aquí hay algunos ejemplos (reportados) incluyendo, pero no limitado a:

• Aplicaciones de chat: WhatsApp, WeChat, Line, Weibo, mensajería instantánea QQ
• Servicios de correo: QQ Mail (personal y empresarial), Yandex Mail
• Comercio electrónico: Alibaba, Aliexpress, Taobao, Tmall, 1688.com, Alimama, Taobao Trips
• Banca en línea: AliPay, Yandex Money, TenPay
• Servicios de pasaporte “críticos”: Yandex Passport (Yandex Mail, Yandex Money, Yandex Maps, Yandex Videos, etc.)
• Software de gestión de móviles: AirDroid
• Otros servicios: MyDigiPass, Zapper & Zapper WordPress Login by QR Code plugin, Trustly App, Yelophone, Alibaba Yunos

Repositorio aquí.