How does a watering hole attack work?

Watering hole attacks are one of the most dangerous cybersecurity issues because victims can be compromised simply by visiting a legitimate website. In this episode of Cyber Work Applied, Keatron walks through a real watering hole attack example. Watch the full walkthrough below: How to carry out a watering hole attack | Free Cyber Work Applied series New episodes of Cyber Work Applied are released every other week. Check out the full collection of free Cyber Work Applied training videos.

Watering hole attack example and walkthrough

The edited transcript of Keatron’s watering hole attack walkthrough is provided below, along with a portion of the code he uses.

Watering hole attack demo overview

(0:00–0:44) We’re going to look at how to go step by step through a watering hole attack. We’ll configure it, set it up and watch the results of what happens when an unknowing victim comes and visits the site after someone’s set up a watering hole attack. I’m going to go ahead and quickly set up the exploit on my side. Then I’ll visit the website that’s vulnerable to cross-site scripting, and I’m going to end up planting my watering hole attack on that cross-site-scripting vulnerable site. Finally, we’ll switch over and look at it from the victim’s perspective. We’ll actually see the victim visit that site after I’ve put my code there. So let’s go ahead and dive into it.

Setting up the exploit

(0:45–1:30) I’m going to complete setting up the exploit here using Metasploit. I’m going to set just a few little parts here: the port that I’m going to listen on, and something called a URI path. The URI path is the location behind that IPN port that we’re going to have this machine visit. msf exploit(msll_050_mshtml_cobjectelement) > set SRVPORT 8080 msf exploit(msll_050_mshtml_cobjectelement) > set URIPATH aa msf exploit(msll_050_mshtml_cobjectelement) > ifconfig So there’s all my stuff. I go ahead and launch the exploit. msf exploit(msll_050_mshtml_cobjectelement) > exploit At this point, what I’ve done is set up the exploit that’s going to exploit whoever’s browser happens to visit my site. The challenge here is how do I get someone to visit this little malicious site I’ve just set up here? Well, the way we’re going to do that is via a watering hole attack.

Setting up a watering hole attack

(1:31–3:39) We’re going to find a site that we know people are going to visit. Then on that site, we’ll find a cross-site scripting vulnerability and plant a pointer that points back to our malicious site. Then we just wait for people to come cash in for us.

Using Damn Vulnerable Web App (DVWA)

Let’s go ahead and take a look at how that happens. This site right here is a malicious site. It’s a VM that you can get on the open-source web here from the OWASP website. I’m just going to set it back to its default.

Cross-site scripting via an iframe

I’m going to go ahead and go to stored cross-site scripting. Then I’m going to log in, and let’s just pretend this is any site you visit frequently. On this site, I’m going to go ahead and post a comment, as we would anywhere else. In that comment, I’m going to put in an iframe tag that points to the server that we were just on, which is the machine that we’re sitting on now. So I’m going to put a pointer back to my machine, which is 204, and the port was 8080, and the URL was AA, right? That’s my iframe.