Ready to Start Your Career?

Tutorial: BeEF and Armitage/Cobaltstrike Integration – Part 03

ben 's profile image

By: ben

September 30, 2017

By @theBenygreenHello, Readers :-)
This is the Part 3 of our tutorial on BeEF and Armitage/Cobaltstrike Integration: (Build botnet of browsers by using malicious extensions).
Now that you are familiar with BeEF and the Armitage/Cobaltstrike integration by using Beefstrike, it's time to introduce a major limitation and how to overcome it.
When hacking browsers with JavaScript, persistence has always been important. BeEF relies on Javascript so when you use BeEF to hack a browser, if the victim closes the hooked web page, you will lose your backdoor connection with it and the BeEF’s icon of the zombie displayed on Armitage will turn red.
The use of a malicious extension, can setup a deep persistence for BeEF on the victim’s browser and that is a big advantage. Fortunately, Beefstrike can help you in this process.
If you want to persist on the browser for a long term engagement, you can infect the victim with a malicious browser extension. This extension will set up a persistent link between the victim browser and the BeEF server by injecting BeEF in every HTTP request. Browser extensions are generated with the support of Kango Framework. This framework is designed to create cross-browser extensions only with using JavaScript. To generate our malicious extension, you need to download Kango archive, uncompress it and point Beefstrike to the file contained in the archive.
Go to BeEF --> Attack --> Browser Extension --> Path to Kango.
Fill the message box with the absolute path of
The HTML code injected by beefstike consists of an iframe which points to a web page with the BeEF’s hook.
Go to BeEF --> Attack --> Browser Extension --> Beef-Implant.
You have to follow the instructions provided in each message box, carefully. The first step in this process is to create the project. Beefstrike pushes an external window using xterm. You have to use it and name your project. For this tutorial, we have created a fake LinkedIn browser extension named “LinkedIn Notify”.
When you create a project, a new folder will be created to host the files of that project. You can find these files in:
There are two other important steps in this process. The first is the HTML code that will be injected. Keep in mind that this code will be injected through a script looking like this:
document.body.innerHTML = document.body.innerHTML + [CODE_TO_INJECT];
And the default code to inject looks like this:
You can manually modify the extension code before generating it. The file to modify is content.js. It is located at: BeEF_folder/extensions/beefstrike/plugins/PROJECT_NAME/src/common/content.js.
The second important step is the modification of the project’s icon. By doing so, you can increase the success ratio of your social engineering scenario. Beefstrike comes with a set of icon packs ready to be used. Open the plugin_iconsfolder. In this folder, you have the icon pack for Twitter, LinkedIn, and Facebook. You can use one of them or create your own icon pack. Each pack has five icons with different sizes. You must respect these sizes if you plan to create your own icon pack. Changing the icon of your project using an icon pack is simple. Just copy the icons and paste them into the project folder of icons. The path is:

Delivery and installation

The methods used to deliver a browser extension are substantially the same as those encountered on attacks that rely on social engineering. The most efficient ways are email and social networks. For installation, there are constraints that differ depending on the browser. For example, Chrome only allows the installation of extensions from the official Chrome Web Store repository and not from third-party websites, while Firefox allows it. We will not dwell on this point but you have to be aware of that.
When you use a malicious extension, you must keep in mind that if the browser is closed, the link with C&C server will be broken. When the browser is open again, the link is re-established. Indeed, our malicious extension will perform an HTML injection attack on every unsecured page visited by the victim with BeEF’s hook as the payload. This makes possible a long-term engagement. The word “botnet” makes sense. In fact, BeEF operates like a botnet in design. But the limitation here is the availability of bots or zombies when needed. This is because the availability of zombies is usually conditioned by their effective presence on the booby-trapped page. When you though, this is a highly variable parameter. With our extension installed on a number of browsers, we have a ready-to-use botnet. Botnets are often related to a specific kind of attacks like distributed attacks or espionage.
As we saw in Part 02 of this tutorial:
  • Beefstrike automatically geo-locates every new zombie based on their IP address once they join the horde. If a zombie leaves the horde and comes back again, his new position will be kept in a tracking table and we can visualize the resulting tracking map later. To obtain a tracking map, go to BeEF --> View --> Geolocation --> Geo Tracking. Select an entry on the tab, right click and select “see map” or “Track”. With the long persistence enabled by the extension, the tracking feature can provide some valuable information about the user’s habits.
  • Beefstrike performs DDoS attacks. DDOS is well known to be driven even by primitive botnets. You can easily simulate this kind of attack with your botnet of browser extensions. Go to BeEF --> Attacks --> DDoS.
  • Beefstrike can assist to perform Distributed brute-force attack
Distributed brute-force attack using Ravan. Ravan is a JavaScript-based Distributed Computing system that can perform brute force attacks on salted hashes by distributing the task across several browsers called workers. To use a zombie as a worker, you have to download and setup Ravan Web backend first or use the online version. When you submit a hash to Ravan, it will return you a URL. It’s the job link. You can submit that URL to your zombies through hidden iFrame and enslave them. Ravan asks for permission to the user before using his system’s processing power for a job… seriously! We don’t have time for that. So we have to modify the code of Ravana bit. The name of the file to modify is worker.php. We reduce the HTML code as you will see here. The file worker.php after modification:
(Don’t remove the MIT License).
With the resulting code of listing 1, zombies will become workers once the job URL is submitted to them. It is possible to check the status of a job for a particular worker. Right click on a zombie entry in the “zombies” tab.
Go to Attack->Raw JS.
Fill the prompt box with the following code:
return document.getElementById(‘out’).innerHTML;
This action executes the JavaScript code provided in the victim’s browser. The job status is displayed in the HTML content of the identified by id value of “out”. The code will return the HTML content of the.
Proxify and hack the internal network. Another way to demonstrate the threat related to the presence of a malicious extension in a browser is probably the internal hacking perspective. It is possible to scan the internal network and browse internal resources using BeEF’smodules. You can even hack into the network using the tunneling proxy feature. The tunneling proxy allows HTTP requests to the hooked domain to be tunneled through the victim’s browser.
You can set up a tunnel by right-clicking on a zombie listed in the “zombies” tab and select Attack --> Proxify.
Once the proxy tunnel has been set up, you can start browsing the victim’s internal network web resources. You have to modify your browser’s proxy configuration and use BeEF’s proxy parameters. BeEF’s team explains this process very well. I recommend you to take a look at their blog.
What about anti-virus?
Much antivirus software is not able to identify a malicious browser extension as is and remove it. This is another reason why this kind of attack represents a serious threat to your privacy.
BeEF hooks are not always detected by most AV and they can be compressed and obfuscated by changing some lines in the configuration files of BeEF. We used the Virustotal service to view the detection rate of this extension as a malicious extension. The result obtained is not reassuring as you can see in. It’s still alarming to see how this simple hacking trick can pass through the mesh of the nets of much antivirus software. The malicious extension of this scenario uses a basic iFrame injection. No special tricks have been used to make the detection harder for defensive solutions. A video demo to illustrate how this extension works is coming soon!
Thanks for your reading, and hack responsibly.
Schedule Demo