Tutorial: BeEF and Armitage/Cobaltstrike Integration – Part 03

Now that you are familiar with BeEF and the Armitage/Cobaltstrike integration by using Beefstrike, it's time to introduce a major limitation and how to overcome it.

When hacking browsers with JavaScript, persistence has always been important. BeEF relies on Javascript so when you use BeEF to hack a browser, if the victim closes the hooked web page, you will lose your backdoor connection with it and the BeEF’s icon of the zombie displayed on Armitage will turn red.

The use of a malicious extension, can setup a deep persistence for BeEF on the victim’s browser and that is a big advantage. Fortunately, Beefstrike can help you in this process.

If you want to persist on the browser for a long term engagement, you can infect the victim with a malicious browser extension. This extension will set up a persistent link between the victim browser and the BeEF server by injecting BeEF in every HTTP request. Browser extensions are generated with the support of Kango Framework. This framework is designed to create cross-browser extensions only with using JavaScript. To generate our malicious extension, you need to download Kango archive, uncompress it and point Beefstrike to the kango.py file contained in the archive.

Go to BeEF --> Attack --> Browser Extension --> Path to Kango.

Fill the message box with the absolute path of kango.py.

The HTML code injected by beefstike consists of an iframe which points to a web page with the BeEF’s hook.

Go to BeEF --> Attack --> Browser Extension --> Beef-Implant.

You have to follow the instructions provided in each message box, carefully. The first step in this process is to create the project. Beefstrike pushes an external window using xterm. You have to use it and name your project. For this tutorial, we have created a fake LinkedIn browser extension named “LinkedIn Notify”.

When you create a project, a new folder will be created to host the files of that project. You can find these files in:

BeEF_folder/extensions/beefstrike/plugins/PROJECT_NAME.

There are two other important steps in this process. The first is the HTML code that will be injected. Keep in mind that this code will be injected through a script looking like this:

And the default code to inject looks like this:

 

You can manually modify the extension code before generating it. The file to modify is content.js. It is located at: BeEF_folder/extensions/beefstrike/plugins/PROJECT_NAME/src/common/content.js.

The second important step is the modification of the project’s icon. By doing so, you can increase the success ratio of your social engineering scenario. Beefstrike comes with a set of icon packs ready to be used. Open the plugin_iconsfolder. In this folder, you have the icon pack for Twitter, LinkedIn, and Facebook. You can use one of them or create your own icon pack. Each pack has five icons with different sizes. You must respect these sizes if you plan to create your own icon pack. Changing the icon of your project using an icon pack is simple. Just copy the icons and paste them into the project folder of icons. The path is:

BeEF_folder/extensions/beefstrike/plugins/PROJECT_NAME/src/common/icon.

The methods used to deliver a browser extension are substantially the same as those encountered on attacks that rely on social engineering. The most efficient ways are email and social networks. For installation, there are constraints that differ depending on the browser. For example, Chrome only allows the installation of extensions from the official Chrome Web Store repository and not from third-party websites, while Firefox allows it. We will not dwell on this point but you have to be aware of that.

When you use a malicious extension, you must keep in mind that if the browser is closed, the link with C&C server will be broken. When the browser is open again, the link is re-established. Indeed, our malicious extension will perform an HTML injection attack on every unsecured page visited by the victim with BeEF’s hook as the payload. This makes possible a long-term engagement. The word “botnet” makes sense. In fact, BeEF operates like a botnet in design. But the limitation here is the availability of bots or zombies when needed. This is because the availability of zombies is usually conditioned by their effective presence on the booby-trapped page. When you though, this is a highly variable parameter. With our extension installed on a number of browsers, we have a ready-to-use botnet. Botnets are often related to a specific kind of attacks like distributed attacks or espionage.

As we saw in Part 02 of this tutorial:

Distributed brute-force attack using Ravan. Ravan is a JavaScript-based Distributed Computing system that can perform brute force attacks on salted hashes by distributing the task across several browsers called workers. To use a zombie as a worker, you have to download and setup Ravan Web backend first or use the online version. When you submit a hash to Ravan, it will return you a URL. It’s the job link. You can submit that URL to your zombies through hidden iFrame and enslave them. Ravan asks for permission to the user before using his system’s processing power for a job… seriously! We don’t have time for that. So we have to modify the code of Ravana bit. The name of the file to modify is worker.php. We reduce the HTML code as you will see here. The file worker.php after modification: