In information security, when we talk about external attacks, you will realize that the browsers are generally called in contribution. It’s simple: browsers are a good entry door and even with no 0day exploits on hand, you can even get a shell
. For a pentester, it is a good skill to know how to play with browsers and get inside the box. For this task, BeEF can do the job. In this post, I will present to you how to combine the power of BeEF with those of Metasploit
and Armitage or Cobalt strike. To do that, we will use my Cortana bot script called beef_strike.cnaFirst of all, download beef_strike: then read!
- Read the readme file,
- Open lib folder and read the read_this.txt
- Download dependencies and put it inside the lib folder.
Open beef_strike.cna with notepad and modify the Import lines to point to the right path of the different libraries (previously downloaded).You need to start team server and connect to it. Beefstrike is written to interact with a team server.I recommend using it on Kali OS, but it should also work on other Linux distros.Ensure that PostgreSQL and Metasploit service are running, if not start them. You may need to modify a little bit your team server file before launch. It's located in the Armitage folder.Example on Kali 1.x: Leafpad /usr/share/armitage/teamserverModify the last line and point to the absolute path of armitage.jar: /usr/share/armitage/armitage.jarObviously, for Cobalt strike, it will be cobalstrike.jar
You are now ready to start and connect your team server.Type: /usr/share/armitage/teamserverRun Armitage and connect to the teamserver.
Once connected, you need to load beefstrike via the script menu. You will see something like this:
A new menu option has appeared on the menu bar: “BeEF”
Beefstrike is ready and you must feed it with a RESTful API key from any beef service.Go to BeEF > start > Control BeEF service > BeEF path
And setup the right path of BeEF folder.On Kali 1.x it is /usr/share/beef-xssIt’s very useful for the next actions to verify this value, otherwise, further actions can be broken.
After that, you can start the Beef service directly from Armitage (you can also stop it).The command that will be pushed to your system is service beef-
so it will just work if your BeEF service can be started this way. Otherwise, you will need to start BeEF from the console.Goto : BeEF> Start > Control BeEF service > STARTNow that your service has started, you can connect to it.Goto : BeEF > Start > ConnectOnce connected to your BeEF server, it will retrieve the RESTful API key of your BeEF's server instance.
Now Beefstrike is ready to eat beef’s JSON flesh :-)Let’s check what appears on Commands tabGo to BeEF > View > CommandsLike you can see, all the BeEF’s modules are ready to be used. Read the description to know what each module are supposed to do.
We will try to execute modules soon. But first we want to create a Hooker service, I mean a hosted web page with the hook agent of BeEF embeded.Why create it this way ?Because it will bring BeEF vector as a Metasploit jobs. And what ?.. By bringing it as a Metasploit jobs, we will be able to control it through the same interface. Example, if we work on Cobalt strike, by doing so we will be able to easily mixing the BeEF vector with other features like web cloning, mass mailer and so on. I have show this process on a previous video.
You will be prompted to configure the SRVHOST and the PORT of the Hooker. Default are local IP and port 8080
After that a ready to launch Metasploit HTTP module will appear. All you have to do is to click on “LAUNCH”. Pay attention to the TEMPLATE option, you can see where the hooker code have been generated and stored. You can modify the resulting HTML as you whish.
Let’s open this URL on a browser : http://192.168.1.100:8080
And Bingo ! the zombi are registered on Metasploit database and appear in your UI.
If you switch on BeEF tab, you will see that beefstrike have try to execute a battery of modules against our target but nothing have been found. For Every new zombie, the Man-in-the-Brower module are automatically launched. Why? Simply because it’s the best module for persistence purpose actually.
You can read on that picture “Geolocation stored”. In fact once a new zombie join the horde, beefstrike try to geo localize him and store his position. To see that position on a google map,just go to BeEF > View > Geolocation – Select an entry on the tab > make a right click > see map or TrackBased on the Session ID of each zombie, if a zombie leave the horde, change his geo-position and join the horde later, a new entry with the same session ID but a different geo-position will be stored. So that we will have two entry for the same zombie. This two entry can be used to generate a tracking map and maybe better know where the target used to connect to Internet. That information can be valuable depending on the kind of operation you drive.Example of a tracking map:
Now we will try to execute a module of our choice against our zombie. Let’s choose “Pretty Thief”.Go to BeEF > View > Commands - Select the command > make a right click and Copy ID
To interact with a particular zombi, you need to make a right click on it and select “BeEF”
A tab named with the IP adress of zombi(s) will appear. Select and make a right click. You will see some ready to launch modules for quick accessibility.
Beefstrike will take care of parameters of each commands and facilitate the configuration. Modules are organised in five block:
|Recon||Port scan, Ping Sweep, DNS Enumeration, Fingerprint Network|
|Attack||Drive-by (send invisible iframe), Raw JS|
|Special||Get_cookie, Screenshot, Webcam, Play sound, Geolocation|
|Social Eng.||Clickjacking, TabNabbing, Fake flash update, Pretty thief, Clippy, XPI Dropper, HTA-PowerShell, UI Abuse|
|Persistence||MiTB, Foreground iFrame, Confirm close tab|
We will see how to boost Reconnaissance next on this post. For now, we want to execute a module: “Pretty Thief”. There is many modules on BeEF and for those not provided for quick access, you can use the “send Command” menu to send it. So, for this demo we will not use that menu (even if Pretty thief is available for quick access).
Remember we have copied the ID of the command first, it’s time to paste
Beefstrike handle parameters for us, all we have to do is to configure them or use the default values. Here we choose Facebook template
Command are send and we suppose the victim fill the form and submit it.
Beefstrike monitor logs of BeEF server in real time so we know what just happen. Here we see that our command have been effectively send.
We can see all the logs in logs tab, go to : BeEF > View > LogsOk, let’s see the result of “Pretty thief”. For that, we go to results tab.Go to: BeEF >View > Results
Sometime, results are big and see them in a line of tab can be very frustrated. You can select a result, make a right click and click “See data”.Now switch to BeEF console tab to see the results.
Nice!It’s possible to boost the reconnaissance of every new zombie with beefstrike. This is possible by loading a battery of modules which have the goal to gather usefull informations about the target.Just go to BeEF > Attacks > Autorun and click on “Load Recon. Cmds”
Our Recon blast are ready. Let’s visit Hooker with Android device. Once hooked, beefstrike intelligently play autorun partition against the new zombi.
Autorun keep the track of zombi already parsed. So if a zombi is disconnected and reconnect after, autorun will never play again for him. The only way for that to append is to click on “RePlay” button. You can customize parameters for each modules loaded on the autorun tab. Beefstrike will handle them for you. Basically the autorun only focus on the browser type to decide to execute or not execute a module against a target. You can check it on the “Browser field” of autorun tab.Here is the table of all possible value
|All||Execute module for every browser|
|IE||Execute module only for internet Explorer|
|FF||Execute module only for Firefox|
|O||Execute module only for Opera|
|C||Execute module only for Chrome|
|S||Execute module only for Safary|
|Sniper||Forward decision to the Sniper feature|
One of the particular and usefull value here is Sniper. You can use it when the decision to execute a module cannot just be taken on the basis of the browser type. For exemple you can want to run a module only if Java
is enabled or Adobe plugin is installed. Because of his accuracy we call this feature “Sniper”. We will take a look on it after. Return to our Android zombi and check the results of the auto executed modules. After the execution of the “Detect social network”module we now know that the user of this device are currently connected to twitter and not on Gmail.
There is too many new things in Beefstrike that I don’t cover here for example:LAN Infection : now use etterfilter, ettercap and SSLstrip to perform MiTM attack and inject BeEF all over the LAN for every HTTP request on the specified port.DDoS a Website: Can be used to demonstrate the Browser based DDoS attack.DNS: Interact with BeEF DNS rules using the RESTful API …etc.Import/Export options for Autorun and Sniper: Useful to create an exploit-like tools. You save your configuration and you can re-use it through different penetration testing engagement. VIDEO DEMO: https://www.youtube.com/watch?v=e_Xa8ADyAxw
That's all for now.In the part 03, we will see how to generate malicious browser extensions and add it in your attack scheme. This way, you will be able to put a long term browser backdoor inside the victim environment.Thanks for your reading