nccgroup
Hook and Control secret value
Hook and Control (hook-and-control.js): Hijack target browsers and use them to access inaccessible resources from your own browser or other HTTP clients. You can retrieve the list of hooked browsers on the "soohooked" sub-domain of the Singularity manager host on port 3129 by default e.g. http://soohooked.rebinder.your.domain:3129/. To authenticate, submit the secret value dumped to the console by the Singularity server at startup.
- When I copy and past the temporary secret it does not work. It says authentication failed
Hello,
I've just tested with the latest version of Singularity, compiled with Go version "1.16.3", since we made a code change yesterday. It works for me. Maybe you pasted extraneous spaces?
if the server returns "Temporary secret: 8cf4dbe7a4c056d0ae1b02f22026ae16287f88f4", you must copy and paste "8cf4dbe7a4c056d0ae1b02f22026ae16287f88f4" in your web browser.
WebSocket connection to 'ws://ipaddress:3129/soows' failed:
it shows as if there was a problem in the code below:
if (headers.get('www-authenticate') !== null) {
let ws = new WebSocket(ws://${wsurl}/soows);
Uncaught (in promise) TypeError: headers.get is not a function at webSocketHook (payload.js:184) at payload.js:258
I've successfully tried "Hook and Control" against a service listening on localhost, with the latest version of the code and with the following configuration:
- Client machine: macOS
- Client machine DNS server: 8.8.8.8
- Browser: Chrome
- Target: Portswigger Burp HTTP interface, listening on localhost, port 8080
- Attack payload: "Hook and Control"
- Singularity of Origin Advanced Options: No change from the default.
It looks like DNS rebinding did not work in the log you provided above, but there is too little information to confirm.
Did you try the the "Simple Fetch Get" payload first before trying "Hook and Control"? Did it work? Can you provide more details on your environment, client and Singularity setup and target service?