BeEF In a Real World Pen Test - Part 2: Tasty BeEF nuggets, line, hook and sinker (Social Engineering to get a hook)

In the first part of this series, we explained pre-hooking basics for reaching the maximum number of targets. In this post, we will go through the hooking process; taking into consideration the different social and technical aspects to hook the target’s browsers for as long as possible.

Preparing The Line
During recon of our target, Contoso.com, we harvested a few e-mails, and infiltrated some social media outlets. Some tips from the conversations we observed between employees led us to the non-official Facebook group for Contoso. Here, we learned that an internal football tournament is held yearly in a nearby stadium. It's organized by an internal "Sports Committee." 

We even found some pictures of last year's winners holding a trophy. We also spotted a couple of people talking about internal e-mails with special discounts on sunglasses as part of an employee benefit program.

On Twitter, we found a couple of interesting hash tags: #screwContosoBoard with quite a bit of anger from employees towards Contoso's management and board of directors.

We also bought a phishing domain "Contso.com" and a valid SSL certificate for it. Finally, quick web vulnerability scanning identified a reflected cross-site scripting(XSS) vulnerability on Contoso's main website.

We will use this information to build our hooking strategy. We want to use our phishing domains and XSS exploit links to lure browsers at three main frontiers: Corporate email, Facebook and Twitter.

BeEF In a Real World Pen Test - Part 1: BeEFy Marinades (Pre-hooking Profiling and Trust Yield)

In this installment, we'll be talking about pre-hooking activities: how to build on the information from our target with social engineering to gain the trust required for stable BeEFed browsers.


Part I: Assumptions

Our engagement is a ten day project. As part of the standard engagement, the basic information we get from our client is:

• Target company’s external IP address range.
• The names of CEO, IT director, HR manager, and the names of a couple of normal employees.
• The most important asset of the company (e.g. financial records, network availability,...etc ).

We'll want a phishing domain and some social media presence for our cons. For this scenario, we'll use Microsoft’s notorious fictional company, Contoso Ltd. (“We love Microsoft!”, as the Three Musketeers would say. Kudos Ed Skoudis, Kevin Johnson and Joshua Wright).

Teaser: BeEF In a Real World Pen Test

We post about some things we hope you'll think are pretty cool. But, we also know you want to know how BeEF can be used in a real world scenario. So, let’s talk about why BeEF is great for dinner, and why it’s a great addition to your social engineering and pentest diet.


On Monday, we'll begin a series to walk you through pentesting with BeEF, starting from initial research and continuing through final results.

In the first part of this series, we’ll walk you through clever ways to hook your victims using social media and some other tried and true phishing methods.

In the second part, we'll explore scope limiting your hooking, and explore how things like pop-under and man-in-the-browser attacks can assert persistence once you get your victim on the line.

In the third part, we’ll talk about how to collect information from the target, including what information you can get from cookies, the clipboard, and even the operating system. 

Then we’ll talk a bit about how you can use the information you’ve gathered to get further into the network.

Browsers, Browsers, Browsers!

While everyone is arguing about the next big thing in cloud or whether or not anti-virus is dead, we at the BeEF Project are quietly pwning the big gaping door everyone is leaving open: the browser.

We've found some clever ways to hook zombies that don't involve the traditional boring phishing email, and we've put some good hard thought on how to get other juicy nuggets from our initial foothold in the browser.

We don't care about your security infrastructure, either >=)

So, if you want a break from all the mainstream babble, keep an eye out for more releases about our proof of concept code. Maybe you'll even see us in Las Vegas.