Backend Server/backdoor.html caching

Question

Backend Server/backdoor.html caching

Jeremyyang920 opened this issue 8 years ago · 5 comments

Currently, I have my backend_server.js file running on one computer on port 1337. I have poison tap pluged into another computer on the same network and have changed all of the Your Domains to match that of the computer running the backend_server.

I can see a pending websocket under the developer tools in chrome so I know that it had opened an outbound websocket. After unplugging poison tap, I tried sending a curl command from the server and I can see that the request was sent, but nothing happened on the poisoned computer even though there is the websocket that is open.

I can load nfl.com/poisontap when PT is plugged in, and I can see the animation. But after I remove PT, the website becomes a 404.

Is there something that I am doing wrong?

Answer 1 · 2017-02-21T21:16:15.000Z

Update. So I am able to send curl commands and have it pop up on the poisoned computer. But after unplugging PT, the websocket closes and it seems nfl.com/poisontap was never cached properly.

Answer 2 · 2017-02-23T20:08:30.000Z

@samyk Do you any idea why the backdoor is not properly caching? I'm able to see an outbound websocket, but nfl.com/poisontap never gets cached.

Answer 3 · 2017-02-23T20:13:02.000Z

Look at the inspector to see why it's not caching. Verify the headers when PoisonTap performs the attack (the caching) and then verify what the headers are when hitting nfl.com/poisontap -- Chrome gives good info about whether or not something is from cache or not

Answer 4 · 2017-02-23T20:38:39.000Z

So looking at the headers, when I have PT plugged in, I went to nfl.com/poison tap, and this is what the header was.

Request URL:http://nfl.com/poisontap
Request Method:GET
Status Code:200 OK
Remote Address:1.0.0.1:80
Response Headers
view source
Access-Control-Allow-Origin:*
Cache-Control:public, max-age=99936000
Connection:keep-alive
Content-Type:text/html
Date:Thu, 23 Feb 2017 19:19:40 GMT
Expires:Sat, 26 Jul 2040 05:00:00 GMT
Last-Modified:Tue, 15 Nov 1994 12:45:26 GMT
Server:PoisonTap/1.0 SamyKamkar/0.1

Answer 5 · 2017-06-02T08:22:05.000Z

Im having this exact problem I have the same headers and did a test in chrome windows/linux and chromium in linux, all cases have the same cache issue.

The only way I managed to get it to work was in Linux disconnecting the PT before the websocket timedout. This didn't work for Windows as the websocket aborts when the PT is removed and as there is no cache the backdoor never connects to the backend server.
UPDATE:
This seems to be an issue expecifically with Chrome/Chromium, just did a quick test in Firefox directly accesing nfl.com/PoisonTap and in that case it was really cached and it worked like a charm.