Project 16: BeEF (10 pts.)

What You Need

A Kali virtual machine. I used version 2017.1.
A target machine of any type. I tested this on a Windows Server 2008 virtual machine and also using my host Mac OS as the target.

Purpose

BeEF exploits XSS vulnerabilities to inject javascript into a browser, and after that it can do a lot of nasty things to the target. It's got a lot of attacks, and only a few of them work on each target system. I chose a few fun ones that work in our environment.

Network Settings

Start your Kali virtual machine.

Place both machines in NAT networking mode.

Ping your Kali mache from the Windows machine and make sure you get replies.

Use ifconfig to find the IP address of your Kali machine and make a note of it.

Starting BeEF on your Kali Machine

In your Kali machine, in a Terminal Window, execute these commands.

(There's a BeEF icon on the desktop, but it doesn't work.)

cd /usr/share/beef-xss/ ./beef

Several services start, ending with the message "BeEF server started", as shown below.

In Kali, at the top left, click Applications, Favorites, "Firefox ESR". In Firefox, go to:

http://127.0.0.1:3000/ui/panel

The BeEF login page appears. Log in with a username of beef and a password of beef, as shown below.

BeEF's control panel opens, as shown below.

Currently there are no "Online Browsers" that you control.

Viewing the BeEF Demo Page

In the BeEF control panel, right-click here, as outlined in green in the image above, and click "Open Link in New Tab".

Click the new tab to see it, as shown below. This page contains Javascript loaded from BeEF, which enables BeEF to execute commands within the browser.

Return to the "BeEF Control Panel" tab.

You should see 127.0.0.1 in the "Online Browsers" section, as shown below.

Opening the Demo Page on the Target Machine

On your target machine, open Chrome and go to this address, replacing the IP address with the IP address of your Kali machine:

http://172.16.1.187:3000/demos/basic.html

After a few seconds, BeEF shows the IP address of your target system, as shown below.

Exploiting Chrome: Clippy

This social engineering attack will pop up Clippy, prompting the user to download a file.

Before executing the attack, we need to put several images and a fake malware file on Kali.

On Kali, open a new Terminal window and execute these commands, replacing "YOURNAME" with your own name (without spaces):

cd /usr/share/beef-xss/extensions/demos/html wget https://samsclass.info/124/proj14/clippy.tar.gz tar xvf clippy.tar.gz touch pwned-by-YOURNAME.exe

In the "BeEF Control Panel", on the left side, click the Online Browser beginning with ?.

On the right side, the "Browser US String" shows that this is Chrome, as shown below.

In the "BeEF Control Panel", in the right pane, click the Commands tab.

In the "Module Tree" section, at the bottom. Expand the "Social Engineering" folder.

Click Clippy as shown below.

In the "BeEF Control Panel", on the right side, there are several fields to fill in, as indicated by the green outline in the image below.

Enter these values into those fields, replacing the IP address with the IP address of your Kali machine, as shown below.

Clippy image directory: http://172.16.1.187:3000/demos/

Executable: http://172.16.1.187:3000/demos/pwned-by-YOURNAME.exe

At the lower right, click the Execute button.

On your target machine, in Chrome, Clippy appears, prompting you to download a file, as shown below.

Saving the Screen Image

Make sure the Clippy is visible.

Save a whole-desktop screen capture with a filename of "Proj 16a from YOUR NAME".

Exploiting Chrome: Google Phishing

In the "BeEF Control Panel", in the "Module Tree" section, in the "Social Engineering" folder section, click "Google Phishing" as shown below.

On the right side, in the "XSS Hook URI" field, replace "0.0.0.0" with your Kali machine's IP address, as shown below.

At the lower right, click the Execute button.

On your target machine, in Chrome, a fake Gmail login page appears, as shown below.

YOURNAME@gmail.com
SECRET-PASSWORD

In the "BeEF Control Panel", in the "Module Results History" pane, click command1. The stolen credentials appear on the right side, as shown below.

Saving the Screen Image

Make sure the YOURNAME is visible in the stolen credentials, as shown above.

Save a whole-desktop screen capture with a filename of "Proj 16b from YOUR NAME".

Exploiting Chrome: Pretty Theft

In the "BeEF Control Panel", in the "Module Tree" section, in the "Social Engineering" folder section, click "Pretty Theft" as shown below.

At the lower right, click the Execute button.

On your target machine, in Chrome, a fake Facebook login dialog appears, as shown below.

YOURNAME@ccsf.edu
SECRET-PASSWORD

In the "BeEF Control Panel", in the "Module Results History" pane, click command1. The stolen credentials appear on the right side, as shown below.

Saving the Screen Image

Make sure the YOURNAME is visible in the stolen credentials, as shown above.

Save a whole-desktop screen capture with a filename of "Proj 16c from YOUR NAME".

Turning In Your Project

Email the image to cnit.124@gmail.com with a subject of "Project 16 from YOUR NAME".

Sources

Kali linux [BeEF-XSS]:. Hacking browsers using BeEF Framework

Posted 11-18-15 by Sam Bowne
Revised 9-5-17
Explanation added 2-26-19

Clippy image directory:	`http://172.16.1.187:3000/demos/`
Executable:	`http://172.16.1.187:3000/demos/pwned-by-YOURNAME.exe`