Ready to Start Your Career?
September 27, 2017
Tutorial: BeEF and Armitage/Cobaltstrike Integration - Part 02
September 27, 2017
By @theBenygreenIn information security, when we talk about external attacks, you will realize that the browsers are generally called in contribution. It’s simple: browsers are a good entry door and even with no 0day exploits on hand, you can even get a shell. For a pentester, it is a good skill to know how to play with browsers and get inside the box. For this task, BeEF can do the job. In this post, I will present to you how to combine the power of BeEF with those of Metasploit and Armitage or Cobalt strike. To do that, we will use my Cortana bot script called beef_strike.cnaFirst of all, download beef_strike: then read!
We will see how to boost Reconnaissance next on this post. For now, we want to execute a module: “Pretty Thief”. There is many modules on BeEF and for those not provided for quick access, you can use the “send Command” menu to send it. So, for this demo we will not use that menu (even if Pretty thief is available for quick access).Remember we have copied the ID of the command first, it’s time to paste
One of the particular and usefull value here is Sniper. You can use it when the decision to execute a module cannot just be taken on the basis of the browser type. For exemple you can want to run a module only if Java is enabled or Adobe plugin is installed. Because of his accuracy we call this feature “Sniper”. We will take a look on it after. Return to our Android zombi and check the results of the auto executed modules. After the execution of the “Detect social network”module we now know that the user of this device are currently connected to twitter and not on Gmail.There is too many new things in Beefstrike that I don’t cover here for example:LAN Infection : now use etterfilter, ettercap and SSLstrip to perform MiTM attack and inject BeEF all over the LAN for every HTTP request on the specified port.DDoS a Website: Can be used to demonstrate the Browser based DDoS attack.DNS: Interact with BeEF DNS rules using the RESTful API …etc.Import/Export options for Autorun and Sniper: Useful to create an exploit-like tools. You save your configuration and you can re-use it through different penetration testing engagement. VIDEO DEMO: https://www.youtube.com/watch?v=e_Xa8ADyAxw That's all for now.In the part 03, we will see how to generate malicious browser extensions and add it in your attack scheme. This way, you will be able to put a long term browser backdoor inside the victim environment.Thanks for your reading
- Read the readme file,
- Open lib folder and read the read_this.txt
- Download dependencies and put it inside the lib folder.
|Recon||Port scan, Ping Sweep, DNS Enumeration, Fingerprint Network|
|Attack||Drive-by (send invisible iframe), Raw JS|
|Special||Get_cookie, Screenshot, Webcam, Play sound, Geolocation|
|Social Eng.||Clickjacking, TabNabbing, Fake flash update, Pretty thief, Clippy, XPI Dropper, HTA-PowerShell, UI Abuse|
|Persistence||MiTB, Foreground iFrame, Confirm close tab|
Beefstrike handle parameters for us, all we have to do is to configure them or use the default values. Here we choose Facebook templateCommand are send and we suppose the victim fill the form and submit it.
Beefstrike monitor logs of BeEF server in real time so we know what just happen. Here we see that our command have been effectively send.We can see all the logs in logs tab, go to : BeEF > View > LogsOk, let’s see the result of “Pretty thief”. For that, we go to results tab.Go to: BeEF >View > ResultsSometime, results are big and see them in a line of tab can be very frustrated. You can select a result, make a right click and click “See data”.Now switch to BeEF console tab to see the results.Nice!It’s possible to boost the reconnaissance of every new zombie with beefstrike. This is possible by loading a battery of modules which have the goal to gather usefull informations about the target.Just go to BeEF > Attacks > Autorun and click on “Load Recon. Cmds”Our Recon blast are ready. Let’s visit Hooker with Android device. Once hooked, beefstrike intelligently play autorun partition against the new zombi.Autorun keep the track of zombi already parsed. So if a zombi is disconnected and reconnect after, autorun will never play again for him. The only way for that to append is to click on “RePlay” button. You can customize parameters for each modules loaded on the autorun tab. Beefstrike will handle them for you. Basically the autorun only focus on the browser type to decide to execute or not execute a module against a target. You can check it on the “Browser field” of autorun tab.Here is the table of all possible value
|All||Execute module for every browser|
|IE||Execute module only for internet Explorer|
|FF||Execute module only for Firefox|
|O||Execute module only for Opera|
|C||Execute module only for Chrome|
|S||Execute module only for Safary|
|Sniper||Forward decision to the Sniper feature|