Tutorial: BeEF and Armitage/Cobaltstrike Integration - Part 01
September 26, 2017
September 26, 2017
Hi, everybody. I'm @thebenygreen, and I will introduce you to one of my codes, Beefstrike.BeefStrike is a Cortana script for BeEF integration inside the Armitage ( a Metasploit GUI). The result is the ability to use client-side exploits like remote exploits and automate BeEF command execution after hooking. One of the great power of Armitage is his ability to easily integrate third-party software with Cortana scripting language.Let's start from the beginning.I will share with you "re-visited" articles I had write related to how to use it.Have fun.
Ok, you know, cyber attacks and the Internet are like fish and water, the first proliferate in the second. What looks like a website can actually be a little cyber weapon (destruction, infiltration, espionage, tracking ... ). You will hear about client-side exploits. Client-side exploits take advantage of vulnerabilities in software clients, web browsers: such as email applications and media players (eg, Internet Explorer, Firefox, Microsoft Outlook, Thunderbird ... ). They can exploit vulnerabilities present in wide libraries used by client applications. For example, a vulnerability in an image library that renders JPEG images might be exploitable via a web browser or an email application.
VULNERABILITIES OF WEB APPLICATION IN THE DISSEMINATION OF COMPUTER ATTACKS
Cross Site Scripting Vulnerabilities
Cross Site Scripting or XSS, is the fault present on the web, and far enough. The XSS vulnerability is characterized by a potential injection of arbitrary code in the HTML that will be rendered to the browser. In other words, the attacker will be able to change any aspect of the Site or inject script in the victim will then see the screen. Faille XSS remains present for a number of years already Top3 ranking OWASP Top 10 most critical web vulnerabilities.
One of my favorite tools to exploit XSS vulnerabilities is BeEF and I 'll tell you why.
The Browser Exploitation Framework ( BeEF )
Appart from being a browser's exploitation tool, BeEF is especially a great tool for build the profile of a target (Foothold). As we have a client-side exploitation, this is how we also have client-side reconnaissance. This functionality, which is also denoted by the word "System profiling " (see Cobalt Strike and Social Engineering Toolkit [SET]) turns out to be far more productive for pentester during the reconnaissance phase compared to conventional recon (remote recon). I really like the "system profiler" functionality of Cobalt Strike. But apart that it is an exclusive feature of Cobaltstrike. Like Raphael Smudge said himself, this functionality can be easily reproduced. I think that the use of BeEF as a system profiler allows you to push a little further the concept of system profiling. Indeed, using cleverly the trust relationship established between the legit site and the compromised browser, an attacker can collect dynamically extra information about the target. We can call it Interactive Reconnaissance.
BeEF can be used to throw a more powerful scenario of social engineering that will take profit from all the information collected from the victim browser and the trust canal established with his browser.
Example 1: Through a well-designed lightbox a graphical appearance comes from the compromised websites or a previously visited website.
Example 2: A little fake survey to draw up a psychological profile of the user behind the browser. [Crazy but already tested]
By Web Morphing attack I mean a scenario of social engineering able to change his skin to suit the needs or the context of the actual user and dynamically use the best exploit > pwn. No need to explain you the improving success of this kind of social engineering.
BeEF and Metasploit integration and limitation
Metasploit is a project ( open-source, under modified BSD License ) on computer security that provides information on vulnerabilities, helps the penetration of computer systems and the development of signatures for the IDS. The best-known sub-project is the Metasploit Framework, a tool for the development and execution of exploits (malicious software) against a remote machine. Other important sub-projects include the Opcode Database, shellcode archive, and security research. There are more client-side exploits in Metasploit than remote exploits. The client-side exploits have the particularity to require the user interaction on the target system (Social engineering) to bring it him to visit the page where a browser vulnerability is exploited.
The idea of coupling then the Metasploit Framework and BeEF framework appeared clearly as a good chemistry of interest. There is, in fact, a plugin for BeEF and Metasploit integration. It is the work of Christian Frichot Aka xntrik.
With this plugin, the pentester is able to import directly zombies into Metasploit's database, interact with zombies directly through the console of Metasploit. But this plugin seems to have limits, especially when it comes to sending commands with parameters. This state of affairs greatly limits your flexibility as pentester. But apart from this integration problem, it has often been a much bigger problem.
BeEF zombie management problem and existing solutions
One of the major problems of BeEF has often been the management of a horde of zombies. The proposed solution has often been the automation of commands to run after a zombie appeared in the horde. Indeed, try to run commands against each zombie can quickly become embarrassing. Especially because many zombies sometimes are online for a very short period, just the time to visit the vulnerable page and leave the site (the problem of persistence). Since his PHP version, BeEF' team always worked to provide a way to persist and autorun commands on each zombie. On Ruby Version, for example, there is the appearance of an API that can be used to perform autorun actions.
A good solution is also known that have been proposed by Trustwave SpiderLabs. Trustwave guys have developed an injection solution for BeEF in a LAN through a MITM attack ( shank.rb ) but also a script ( autorun.rb ) for automating BeEF orders. With this solution managing, larger numbers of Zombies Becomes more practical, and the Ability to Rapidly parse large groups of hosts also become possible. Here is a reading that I recommend: http://blog.beefproject.com/2012/12/beef-shank-beef-mitm-for-pentests.html. But with a shank ( and this is my personal opinion) the graphical side of zombies' management like in the web interface of BeEF risk to miss you. I think about more malleable tool through a graphical interface. On the whole, the problem of automating BeEF commands can be solved through the API. It remains to find a good compromise between automation, zombies' management and intuitive interface.
Metasploit autorun problems, solutions, and limitations
With BeEF, once the zombie is online, It very easily sends a Metasploit exploit and gets a shell if the browser of the target is vulnerable. So that we jump from browser control to the system controller. Metasploit also knows or has experienced a problem with the automation of controls in post-exploitation. Once the shell and then got a Meterpreter session created, it must intervene manually on each host for further operations. There are some solutions for Metasploit post-exploitation automation but for me the better is: Cortana.
Cortana is a monster speaker, hidden behind windows 10 OS family ...
Hmm ... uh! sorry.It's not that Cortana.
Did I mention Armitage and his big brother CobaltStrike? No? Big mistake!
Ok, the Metasploit framework is a command line tool and to make it simple, let's say Armitage and Cobalstrike are graphical interfaces for Metasploit ( Cobalt Strike goes far anyway). But what makes these two so special in my opinion, is the scripting language with which they come and change the whole possibilities for a pentester: Cortana.
Cortana transforms thinking pen-testing and red teaming. The possibilities are enormous. For a brief summary, using Cortana, you may develop a stand-alone bot and join it to your red team. Cortana bots scan hosts, launch exploits and work on compromised hosts without stepping on each other or getting in the way of their human teammates. You can increase your strength by 2, 3, 4 ... Here is a little image that summarizes Cortana.
Raphael Smudge ( Armitage / Cobalt Strike creator ) Discuss Cortana and why cooperation, distribution, and automation are significant here:
Cortana a great ability to act as a bridge between several programs to benefit Armitage. That ease the integration of several tools and can afford to work with your favorite pen-testing tools through a single interface.
Cortana is already a clear success in automation for Metasploit. Using BeEF RESTful API, Cortana can then with ease interact with the BeEF server. Better, Cortana can be used to automatically run BeEF's modules against each zombie through Armitage. By combining all these actors, pen-testing experience takes on a different taste. It becomes possible to use ( test ) client-side exploits as if they were remote exploits. Beefstrike is a proof-of-concept script. Its purpose is to show the possibilities rendered by this marriage.
So what is beefstrike.cna?
Integrating BeEF in Armitage offers many possibilities. The main ones are the automation of sends BeEF's commands, the control, and management of zombies is much more intuitive.A script for Cortana BeEF integration inside the Armitage Metasploit GUI has been written. The result is the ability to use client-side exploits like the remote ones. One of the great power of Armitage is his ability to easily integrate third-party software with Cortana scripting language.For BeEF and Armitage integration here is the script called: beef_strike.cna.
What it does is:
- Use MiTM tools to Inject beef hooks all over the LAN ( LAN 's users browse a website and are automatically hacked )
- Auto import all the new zombies inside Metasploit database
- Perform client-side profiling with the help of beef 's client-side recon. modules.
- Auto perform for MiTB attack to ensure persistence on the victim 's browser
- Assist you to dynamically send client-side exploits to a zombie (like you do with remote exploits)
- Autorun batch commands, based on the victim 's characteristics.- Geolocate victims on a google map, and are able to track their positions.
- Generate a malicious browser extension that you can use for backdooring the victim browser for a long-term interaction.- Provide you an interface to quickly interact with each BeEF's victims, just like Armitage offers a quick access to main meterpreter commands (scripts).
To give you an idea of what can be achieved with this wedding here is a scenario.
Example: You started your BeEF server and run a campaign to recruit new zombies.Cortana works on your side and every new zombie appear in your Armitage interface. After that, with no human's intervention here's what happens:Every time that a new zombie appears, module starts to ensure persistence in the browser ( MITB ), a series of modules retrieves information about the user 's browser, its system, its applications, its networks, its location (client - side recon ). Among the information collected was the type of browser used and plugins enabled.
Then based on the information gathered, you can select client-side exploits and use them on the fly.
* Or load a battery of the best customer exploits corresponding to different target profiles. A script then scans each zombie and map the exploits susceptibles to work fine against our target and direct them to the browser (through an invisible iframe).
We will see how to use beef strike in Part02. Thank you, guys.