Creating & Modifying Attacks
We recommend creating attacks with the admin web app's Attack Builder:
But if you are familiar with the architecture of whoof attacks you could assemble your own JSON file in the appropriate structure and import it.
For this wiki we will walk through how to build the example attack log.
In this section you provide a unique name for the attack. The name must not already be used by an attack in your database. You can delete or rename another attack if you have a name conflict.
Additionally you should provide a brief description of the attack which is visible in the list of attacks in the attacks section.
The inputs section is where you add any necessary inputs for the admin to set before executing an attack. In our log example, we need to provide an input for the message to pass to console.log in the target's page:
Inputs can be added with the add button (highlighted in green), and removed with the remove button(highlighted in red):
Input Parameters:
Name: This is the name of the input as shown in the attack module.
Description: This is the description of the input as shown in the attack module.
HTML Type: This sets the type parameter of the HTML input element so that it can do basic input validation (e.g. email would attempt to validate the input as a valid email). Common values: text, url, email, date, see input types.
Default Value: This is the value used if an input isn't provided.
This function is executed in the admin's web app before sending the attack instructions to the victim for execution. It's purpose is to programmatically prepare the execute function. It's two parameters are params and logger.
logger is a function which is used to log something in the admin terminal (e.g. logger('attack successfully prepared')).
params is a JavaScript object which contains all of the input names and values set by the admin before execution. For example, with our log attack, the input message would be available to read and edit as params.message. Additionally you can add any other parameters you would like to have accessible in the execute function (e.g. params.anotherValue = 'something useful'). The prepare function must return params.
You can prevent an attack from being executed for any reason by setting params._cancel_attack to a truthy value in the prepare function.
This is the function which is executed in the target page. It has one parameter params.
params is the same params object which was modified in the prepare function with additional parameters victim, and _attack_instance_id.
params.victim is the ID visible in the victims section of the admin app.
params._attack_instance_id is a combination of the WebSocket ID and the current date time.
These parameters are used to match the response from the target page with the appropriate victim and should not be modified carelessly.
This is where you execute whatever functionality you would like in the target page. You access inputs set by the admin before execution as params.inputName. For example in our log attack. This is where we would call console.log(params.message).
In addition to all other global variables in the target's page, there is the variable socket which is the socket.io socket used to communicate with whoof. Currently there are two events which you can emit, message and result.
If you would like to log something in the admin terminal emit the event message with the string you would like to log as such:
socket.emit('message', "Message to log")
When you are done executing your commands you can notify the admins with the results by emitting the event result with an optional message parameter which is logged in the admin terminal as such:
socket.emit('result', {
message: `Successfully logged ${params.message}`,
params
})
This function is executed in the admin web app after the result event is received from the target. It has two parameters, params and logger.
params is the params object emitted by the target page socket via the result event.
logger is a function which is used to log something in the admin terminal (e.g. logger('result received from attack')).
This function can be used to process any data received as a result of the attack and to notify admins.
You can save your changes or new attack by clicking the save button:
You can test your attack while developing by executing it with the execute button:
If you are editing an existing attack you can delete it by clicking the delete button:
