White empty page
Closed this issue · 8 comments
Hey there !
Thanks for this awesome project! I wanted to give it a try and set up a debian 12 EC2 instance with 2VCPU and 8GB of RAM. I had to install a few dependencies manually, and when I wanted to launch the command to run node index.js <target>, I encountered an error. It seems it is related to sandboxing in Chromium:
open /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq: No such file or directory (2)
So I just apt install chromium and it started working without any error, but when I tried to browse on the instance, I have an empty white page and this error message in the console of the browser:
Failed to load resource: the server responded with a status of 502 () /socket.io/?EIO=4&transport=polling&t=OdHLx8a:1
// Edit //
This error was linked to AppArmor, I disabled it, now I do not have any error in the JavaScript console, but the page is always empty white. I tried with multiple web browsers (firefox, chrome, chromium and opera).
// End of edit //
Moreover, trying to access /admin, I have a 403. I double checked the configs.json file, my public IP is correct.
I also tried on a workstation with Linux installed (debian 12) exposing ports to the outside. I did not have the problem with sandboxing, but I have the exact same problems.
Do you have any idea what could possibly go wrong? Thank you very much!
A few things:
- Glad you like it :)
- which other deps did you need to install? Might be better as it's own issue, but I suppose only if resolving didn't cause your remaining problem. Either way, would be nice to document.
- It sounds like maybe some basic blocking on the Caddy file config might be causing you issues when trying to view '/admin'. Caddy blocks with a 403 as well in some common cases that we want to deny. In which case, you would not see the console log from index.js "console.log('admin_ip: ' + client_ip)".
Lastly, as far as a "empty page" goes, I'm not sure I have quite enough info to speculate. Did you confirm that the HTML and JS resources are loading? Do you see peer negotiation steps in the console on the server side? Can you add a debug statement or your own console log statements to see where the breakdown is happening?
- which other deps did you need to install? Might be better as it's own issue, but I suppose only if resolving didn't cause your remaining problem. Either way, would be nice to document.
=>libxkbcommon-x11-0 libcups2 libatk-bridge2.0-0 libxdamage1 libpangocairo-1.0-0 libatk1.0-0/ Needed when launching theadd_target.jsscript.
For all the other problems: I worked on a Debian 12 EC2 instance without GUI installed. At the beginning, when launching the index.js script, these errors occurred:
[0809/094659.459634:ERROR:file_io_posix.cc(144)] open /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq: No such file or directory (2)
[0809/094659.459740:ERROR:file_io_posix.cc(144)] open /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq: No such file or directory (2)
[0809/094659.469916:ERROR:nacl_helper_linux.cc(315)] NaCl helper process running without a sandbox!
Most likely you need to configure your SUID sandbox correctly
I found a way to resolve the issue related to open /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq: No such file or directory (2) (https://stackoverflow.com/questions/70069412/error-installing-chrome-on-aws-ec2-linux-instance-scaling-cur-freq-scaling-ma/70113555#70113555). Using a virtual desktop to connect to the EC2, then launching the index.js script, it works (no blank page, and admin accessible). I do not know if it is feasible to run Chromium in headless mode for the purpose of the tool as it could be another solution to the problem.
I tried on a local Debian 12 VM with a GUI without Chromium installed and everything works well (no blank page and admin accessible). So my solution to install Chromium on the EC2 instance as stated in my first message was not a good idea. I imagine that the issue I had with my workstation was related to the fact that Chromium was installed on it too.
I just ran it on a fresh Debian 12 EC2 instance with 2VCPU and 8GB of RAM. I did need to install libgtk-3-0 with:
sudo apt install -y libgtk-3-0
I added this to the install script already.
Other than that, the setup from the README worked perfectly. I even tried to replicate your SUID issue by running as root and could not get it to fail. DON'T run as root BTW! I was just trying to understand/reproduce your issue and could not. Also, it is not designed to be run or tested with any sort of GUI. The main page and admin page are designed to be accessed over the Internet and you may have issues trying to test locally.
As far as a "White empty page" goes, have you looked into trying a TURN server stead of STUN? I left a config for a TURN server in the cuddlephish.html and broadcast.html for those that need it. The example project just uses a single Google STUN server, so if you have issues reaching that STUN server or port, or you are on a more restricted network, you may have issues with the default. You can set up another (or multiple) STUN server(s), or configure your own TURN server for a better chance at connecting phishing targets to your browser instances.
One other potential cause of a "white empty page" could be a tab title with a special character in it. I have noticed at least one service that caused the "--auto-select-desktop-capture-source" flag to fail because there was a special character in the page title. As a workaround, I simply deleted the special character and subsequent characters from the title in my config. The "--auto-select-desktop-capture-source" flag just needs a search string and not a full match.
Closing this issue. Feel free to re-open under a more specific name if you can narrow down to an individual problem.
I was experiencing this issue also. I rebooted my server and it seems to be working now, but this is the error message I was getting in the logs when I saw the white screen, if its helpful.
Socket connected! 00Qjq3qW-MALquq_AABu
(node:25051) UnhandledPromiseRejectionWarning: Error: Protocol error (Emulation.setDeviceMetricsOverride): Session closed. Most likely the page has been closed.
at CDPSession.send (/home/user/cuddlephish/node_modules/puppeteer/lib/cjs/puppeteer/common/Connection.js:218:35)
at next (/home/user/cuddlephish/node_modules/puppeteer-extra-plugin-stealth/evasions/sourceurl/index.js:34:41)
at CDPSession.send (/home/user/cuddlephish/node_modules/puppeteer-extra-plugin-stealth/evasions/sourceurl/index.js:67:18)
at EmulationManager.emulateViewport (/home/user/cuddlephish/node_modules/puppeteer/lib/cjs/puppeteer/common/EmulationManager.js:20:26)
at Page.setViewport (/home/user/cuddlephish/node_modules/puppeteer/lib/cjs/puppeteer/common/Page.js:1769:58)
at resize_window (file:///home/user/cuddlephish/resize_window.js:2:14)
at Socket.<anonymous> (file:///home/user/cuddlephish/index.js:206:13)
at Socket.emit (events.js:314:20)
at Socket.emitUntyped (/home/user/cuddlephish/node_modules/socket.io/dist/typed-events.js:69:22)
at /home/user/cuddlephish/node_modules/socket.io/dist/socket.js:703:39
(node:25051) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 48)
When I tried to test it, I also only got a white page on the victim side.
Installation on a Debian 11 worked fine. I changed the following files:
Dockerfile: because I needed a different plugin for xcaddy
config.json: To change the IP, default_user_agent and docket_key
Caddyfile: to change the Domain, API-Key and packet for the API-Key
I tried to copy the Landing-Page from Discord, so there a no special characters. Also tried to copy other sides.
I can access the Admin-Page and see a picture of the browser there, when the victim connects. I can also see the keystrokes the victim makes. But on the Victims browser, I only see a white empty page. I tried Firefox, Chrome and Edge for the Victim from a Windows 10 PC, additional Firefox and Edge from a Windows 7, Firefox from Kali and Firefox from Debian.
The output from the index.js file looks normally like this:
killed browser
client_ip: MY_CLIENT_IP
Socket connected! qWzkMUvR70wlyXNmAAAp
candidate: jhK4T4bOKuj5qIUCAAAn to qWzkMUvR70wlyXNmAAAp
video_stream_offer
viewer_id: qWzkMUvR70wlyXNmAAAp
offer: [object Object]
video_stream_answer
broacaster_id: jhK4T4bOKuj5qIUCAAAn
answer: [object Object]
candidate: qWzkMUvR70wlyXNmAAAp to jhK4T4bOKuj5qIUCAAAn
candidate: qWzkMUvR70wlyXNmAAAp to jhK4T4bOKuj5qIUCAAAn
candidate: qWzkMUvR70wlyXNmAAAp to jhK4T4bOKuj5qIUCAAAn
candidate: qWzkMUvR70wlyXNmAAAp to jhK4T4bOKuj5qIUCAAAn
Socket connected! 9MohnoevKwoUfXcYAAAr
A STUN-Test from my server looks like this. It is a hosted Server and if I understood it correctly, I am not behind a NAT.
root@localhost:~# stun -v stun.l.google.com:19302
STUN client version 0.97
Opened port 29468 with fd 3
Opened port 29469 with fd 4
Encoding stun message:
Encoding ChangeRequest: 0
About to send msg of len 28 to 108.177.15.127:19302
Encoding stun message:
Encoding ChangeRequest: 4
About to send msg of len 28 to 108.177.15.127:19302
Encoding stun message:
Encoding ChangeRequest: 2
About to send msg of len 28 to 108.177.15.127:19302
Received stun message: 32 bytes
MappedAddress = MY_SERVER_IP:29468
Received message of type 257 id=1
Received stun message: 32 bytes
MappedAddress = MY_SERVER_IP:29469
Received message of type 257 id=2
Encoding stun message:
Encoding ChangeRequest: 2
About to send msg of len 28 to 108.177.15.127:19302
Encoding stun message:
Encoding ChangeRequest: 0
About to send msg of len 28 to MY_SERVER_IP:29468
Received stun message: 28 bytes
ChangeRequest = 0
Received message of type 1 id=11
Received stun message: 32 bytes
MappedAddress = MY_SERVER_IP:29469
Received message of type 257 id=3
Received stun message: 32 bytes
MappedAddress = MY_SERVER_IP:29469
Received message of type 257 id=3
test I = 1
test II = 1
test III = 1
test I(2) = 0
is nat = 0
mapped IP same = 1
hairpin = 1
preserver port = 1
Primary: Open
Return value is 0x000001
The same STUN-Test from the Debian victim looks like this:
stun -v stun.l.google.com:19302
STUN client version 0.97
Opened port 23692 with fd 3
Opened port 23693 with fd 4
Encoding stun message:
Encoding ChangeRequest: 0
About to send msg of len 28 to 173.194.76.127:19302
Encoding stun message:
Encoding ChangeRequest: 4
About to send msg of len 28 to 173.194.76.127:19302
Encoding stun message:
Encoding ChangeRequest: 2
About to send msg of len 28 to 173.194.76.127:19302
Received stun message: 32 bytes
MappedAddress = MY_CLIENT_IP:56825
Received message of type 257 id=1
Encoding stun message:
Encoding ChangeRequest: 4
About to send msg of len 28 to 173.194.76.127:19302
Encoding stun message:
Encoding ChangeRequest: 2
About to send msg of len 28 to 173.194.76.127:19302
Encoding stun message:
Encoding ChangeRequest: 0
About to send msg of len 28 to MY_CLIENT_IP:56825
Received stun message: 28 bytes
ChangeRequest = 0
Received message of type 1 id=11
Received stun message: 32 bytes
MappedAddress = MY_CLIENT_IP:56826
Received message of type 257 id=2
Received stun message: 32 bytes
MappedAddress = MY_CLIENT_IP:56826
Received message of type 257 id=3
Received stun message: 32 bytes
MappedAddress = MY_CLIENT_IP:56826
Received message of type 257 id=2
Received stun message: 32 bytes
MappedAddress = MY_CLIENT_IP:56826
Received message of type 257 id=3
test I = 1
test II = 1
test III = 1
test I(2) = 0
is nat = 1
mapped IP same = 1
hairpin = 1
preserver port = 0
Primary: Independent Mapping, Independent Filter, random port, will hairpin
Return value is 0x000002
I hope the information give are adequate and that you can help with let this awesome project run.
If I missed anything or should post this as a new Issue, please let me know. Its my first time posting something on github.
@curisas it looks like from your output in the console that you are having trouble negotiating the STUN connection. Normally, you would have an established peer connection after just one or two ICE candidates. The fact that your test browser kept sending candidates over and over means it's not getting a peer connection to view the video stream. Did you try setting up a STUN server and using that instead?