Time
10 minutes
Difficulty
Intermediate

Video Transcription

00:03
hello and welcome back to breaking stuff with Joe I, as always in Europe, on Imus host Joe Berry. And today we're going to be talking about beef, not the cow, but the tool beef, the browser exploitation framework, a fantastic and keep pen testing tool for use against the Web browser. Now this is a somewhat unique tool
00:21
compared to some of the Web application pen testing tools that we've talked about previously,
00:25
and we'll talk about in the future because this isn't about targeting someone's Web application. It's actually about targeting their Web browser. So wait before it is by creating a Web page that is hooked or will hook their browser. And it allows you to exploit the Web browser of your target. And from there, use that as sort of your Stage zero landing point
00:44
into your target system of your target network
00:46
and launch your attacks from there. So we're gonna get to talk about how we actually create those Web pages and how he can use them in our pen testing process and in our just general security analysis process, which means that beef is useful not just for red team or pen testers but really for anyone who is curious about the safety and security of their Web browser
01:03
and anyone who wants to just kind of understand and use and
01:07
sort of utilizing their daily work Web security and Web browser security. So we're going to cover how launch beef. We're gonna cover how to hook a browser and had actually use that browser toe run commands and use it as our landing point for further exploitation.
01:22
So keep watching. And we're gonna spend about eight minutes figuring out exactly how we can use beef as effectively as possible to enable our breaking stuff process.
01:32
So as usual, we're gonna be working out of our Callie V. M
01:36
in here. We're gonna be just going very easy. Navigation process. Beef is actually preinstalled on Callie for obvious reasons. It's a spectacularly useful exploitation tool, so it's gonna be kind of packaged into it into cattle, which is designed specifically for all of these great tools. So
01:53
to find it, we're gonna scroll down here to our exploitation tools, which is gonna be number eight,
01:59
and the new menu kind of painted navigate. But he used to hear that beef, the beef excess s framework or across state scripting free work. Once you click that, it'll open up a terminal
02:10
and you should see that message right there, which is wait for the service to start. I actually already had it running,
02:17
but it starts it up. It takes control of the port you can see here that is gonna be on the u i. T. Y is gonna be on the 3000 port address. And, of course, it will automatically open your browser to show you that
02:30
once you're finally in this tool, it's a pretty straightforward log in process. Beef has a very simple username password combo, both of which are just the word beat.
02:40
And it's gonna load up eventually. Once about the ones that authenticates, it's gonna load up this getting started. Paging also, not in just a little bit.
02:47
Make it a little easy, Avery.
02:51
So you can see here. It has sort of some basic information about
02:54
each command has a traffic light. So against a given target, green means that it's gonna work and it should be invisible. Orange means that it should work, but it's gonna be visible that, you know, there might be some interaction for the user. You'll see. I'll show you in a minute. There might be some menu that pops up
03:09
so something to the user might become
03:13
become aware of
03:14
this great cover, which isn't really a traffic light color. But that's okay
03:19
that indicates that it's not verified. So they don't know or beef doesn't know automatically whether or not that particular module is very hot and then read, of course, means stop. Don't go any further. The command module does not work against that. Given tardy,
03:32
there's a ton of information on this getting started page as well as down here with this learned Maur. The Wiki from beef is really spectacular, and I highly recommend you take some time. But look at it. But since this is a straight for kind of a quick tutorial video, we're not gonna spend it on a timer. Instead, you can see here that the easiest way to test the fun to kind of get the hang of it
03:53
is to just navigate this demo page.
03:54
Now, if you look back
03:58
drop,
04:00
you can see here that it has listed the hook
04:04
and an example.
04:05
That hook is what you're actually going to use for your performing cross site scripting, which will be the subject of another class. Another video. But that's what will actually be put into a given page with the correct I p address. Obviously s O that when someone navigates to that page, beef will be able to take over their browser
04:23
in this case because we're just doubling it. We don't have to worry about actually setting up cross site scripting and go through the whole process. We could just click on our basic dental page and that will navigate over here. And it gives us a little bit of a message we should be hooked into. We will be for sure on DDE have fun while your browser's working against you. Nice and nice and
04:41
pleasant from beef being very friendly. When you navigate back over, you can see immediately.
04:45
Some new information has popped up in this browsing menu to the left. I'm not gonna open that crypt runs on foot just yet,
04:50
But before we do anything else, we can just kind of hover over that and see some really interesting information. So beef is immediately ate. Beef is immediately able to detect. This is a linear system. It's working on a virtual machine, which is very useful information of your manually controlling your manually performing this pen test and you see something crop up
05:10
that is a V m, particularly Elin Xbm.
05:12
The odds are pretty good that whatever you're targeting is not actually someone you want to mess with right now. That's one of the things that you'll often see. You know, people have sandbox set up to interact with my word, interact with hackers. It's kind of Ah gotcha honeypot situation. So being able to immediately detect that you're targeting of'em, if you don't know you should be targeted. Bien
05:30
gives you information that will allow you to make Cem Cem good immediate decisions
05:34
so you can pop it where our current browsers will see a whole bunch of information. You can see it doesn't know the version right, offhand, but it does give you the US string Mozilla five Dato. It's running on Olynyk 64 bit machine, and it's got the firebox version, the languages and use again. The platform.
05:48
A lot of really useful information just right out of the gate before you've even actually exploited or targeted them in any meaningful way.
05:55
You're able to collect a lot of useful information about,
05:58
if session cookies and persistent cookies, you can see here where they got hooked from.
06:03
And, of course, you can find out a little bit more information about their browser, which you already see what you got to get over this again. Lennox Virtual Machine. 64 minute. Useful, useful, useful information.
06:14
The next tab Over here, you're going to see logs, and it's just going to show you it joined the horde. It's online. The event logs can get a little bit out of order when things were just hooking up.
06:25
That's just a result of the way the data is sort of stored in and input to beef.
06:30
But you can keep track. Okay, they're no longer pay attention. The browser windows have to click away.
06:34
Should be ableto, maybe not.
06:36
It should be able to detect whether or not a given browser Windows actually and focus. It could be a little bit sketchy, especially since the browser that I'm using is also the browser that I'm running from
06:46
over here. The much the probably most important part is the command lous. So this is where you'll navigate. And again. Remember that when we look back and getting started. Page, we gotta have those those traffic lights that indicate to us. Okay, this is what each of these colors mean. So that's something to be conscious of as you're going through your commands.
07:04
But if you just expand these folders, you can see detective box it reader QuickTime silver light. All of these different detection auctions, which are invisible to the user
07:15
now
07:15
saying that they're completely invisible is a little bit of a stretch. In some cases, for example, this webcam set up
07:21
it's something that will look completely benign to the user, but it does require them to actually interact. And I'm going to zoom this out just a little bit so you can actually
07:30
interpret what we're seeing over there. Here we go,
07:33
so you can see it will show the adobe flash. Allow Webcam dialogue to the user. They have to click the allow button. This is this works using flash, which is one of the many, many, many, many, many, many reasons why your security engineers, your your network at Ben's and all the people who are in charge of the security of your given system.
07:51
Disable Flash tell you not to use flash.
07:54
Don't let you enable it and end its because that enables attacks like this so it will send a title. I will say this website is using Adobe Flash,
08:03
the social engineering text. Both of these you can edit
08:05
the social engineering text. That's just basically what message do we want to send to convince our card it to let us do what we're trying to do here. In this case, it just basically says we're using. In order to work with the programming framework, you have to enable flash. And if you use a Jackson html five, it will increase your experience.
08:22
Then you tell them how many pictures you wanted to take and then given the interval to take pictures. I'm not actually going to run this specific command against my browser just because I haven't secured.
08:33
Um,
08:35
but that being said, that's That's one of the things you're able to do it definitely something that I recommend you test out down here. You can see some of our reds that we know don't work. You can't detect Microsoft Office you can't detect Activex. You can't detect Spider. I None of these work against the given platform that we're targeting,
08:50
but we can very quickly and easily see what it looks like to actually run one of these. So we're just gonna detect and see if our target browser, which again is this Firefox browser, is using the Fox it reader.
09:01
So you just click on the command you wanted to run, and then you're going to run. Hit me, execute button,
09:07
and it'll run, and you can see here. We've got a message. Commanders. Old Snow Fox. It is not active on that system. And it's a straightforward is that the commands is very, very easy to run. You select what you what you wanted to do. You say execute and it'll work.
09:22
So that's gonna be all there is for beef again. It's just a straightforward walk through of this tool. We want you to get the information you need to be dangerous and to be able to kind of
09:31
play around with it, get some experience. We do have labs available for beat that you should be able to get access to. Right now, it's a really spectacular tool and definitely one that is going to be a big part of your pen testing process.
09:45
As always, I want to thank you for watching this video. These tools are a major component of being a successful pen tester, and so, in order to use them effectively, of course, we kind of make sure that you have sort of that information you need. So it's a great fund. It's a lot of fun for me to make these, and hopefully it's a lot of fun for you.
10:03
And in this video, as always, we launched our tool. We hooked it well. We learned how to use it properly.
10:07
In this case, that means we hooked a browser, ran a command, and we determined that we actually can use be effectively and dangerously against a given party. So thank you all for watching. As always, this has been breaking stuff with jokes. With me, your host job

How to Use BeEF (BSWJ)

The Browser Exploitation Framework (BeEF) is a pentesting utility focused upon exploitation of and by the web browser. It's used throughout the offensive security world in order to target web-based applications.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor