BeEF In a Real World Pen Test - Part 2: Tasty BeEF nuggets, line, hook and sinker (Social Engineering to get a hook)

In the first part of this series, we explained pre-hooking basics for reaching the maximum number of targets. In this post, we will go through the hooking process; taking into consideration the different social and technical aspects to hook the target’s browsers for as long as possible.

Preparing The Line
During recon of our target, Contoso.com, we harvested a few e-mails, and infiltrated some social media outlets. Some tips from the conversations we observed between employees led us to the non-official Facebook group for Contoso. Here, we learned that an internal football tournament is held yearly in a nearby stadium. It's organized by an internal "Sports Committee." 

We even found some pictures of last year's winners holding a trophy. We also spotted a couple of people talking about internal e-mails with special discounts on sunglasses as part of an employee benefit program.

On Twitter, we found a couple of interesting hash tags: #screwContosoBoard with quite a bit of anger from employees towards Contoso's management and board of directors.

We also bought a phishing domain "Contso.com" and a valid SSL certificate for it. Finally, quick web vulnerability scanning identified a reflected cross-site scripting(XSS) vulnerability on Contoso's main website.

We will use this information to build our hooking strategy. We want to use our phishing domains and XSS exploit links to lure browsers at three main frontiers: Corporate email, Facebook and Twitter.


Preparing The Hook
First, we set the hook on our phishing page. It should have the same anatomy of the original website (Header, footer, side panes, CSS, ...etc), served on our “secure” SSL enabled phishing page on Contso.com.  We'll add a loading progress bar in the middle pane and put up a user friendly message that says "this page might take some time to load." We'll set up the progress bar with an inverse exponential decaying function. The Javascript code below is an example of the progress code that can be used.

totalProgress = 100;
currentProgress = 1.0;

while (currentProgress < totalProgress)
{
    currentProgress =  currentProgress + (Math.exp(currentProgress  / -3) );
    sleep(100);
}

Disclaimer: None of this code is taken from the Windows file copying progress bar module, any similarities in function is a mere coincidence!

By going fast at the beginning, and slower towards the end, our hope is the visitor should feel encouraged, safe, and be less likely to close the page out of boredom. We even hope the user will switch tabs, leaving this in the background to load, and give us a longer chance to hook and do our BeEFY tricks.

Second, we prepare our XSS exploit link. The XSS Javascript exploit should inject BEeF’s hook into the vulnerable page. The exploit link should rewrite the center pane of the vulnerable page to remove any original content and add the loading progress bar. It should look identical to our phishing domain. This should decrease the probability of the victim noticing anything wrong and maximize the time he will stay hooked. Furthermore, we can use some basic link obfuscation to trick savvy victims. This can be achieved by forcing URL encoding for the whole value of the vulnerable parameter (including readable text). For example, the query parameter:



search=”<script src=”test.js”> 

should look like:

search=%22%3c%73%63%72%69%70%74%20%73%72%63%3d%1d%74%65%73%74%2e%6a%73%22%3e 

Also, URL shortening services can be a good tool for hiding the main link. They are very common for use on social networks, especially on Twitter.



Hooking Grounds
The first hooking ground we target is corporate email. We need to get our hands on a sample from Contoso’s internal email to make our phishing emails look more convincing. We want to match internal email anatomy (headers, fonts, text colors, signatures, ...etc). 


We'll need to do some more social engineering. We use our fictional profile to go into the conversation about the sunglasses and ask for more details. Posing as a clueless new employee of Contoso, we receive a couple of responses about how the discount works. We take the discussion away from the public group to a private one-on-one conversation with the most friendly respondents, and ask them to forward the email to a non-corporate email under the ruse that our corporate email is not fully active yet. 


Bingo! Now that we have the email, we craft a new one having the same anatomy of the sample we have, announcing the launch of a new football tournament. The email should appear to come from the sports committee and should have in the “to” field the same group name as the one from the original discount email. In the email body, we salute last year’s winners and add their picture with the trophy for a more convincing flavor; assuring people about the authenticity of the email. 


And of course, we end the email with a “find out more” link that points to our hook. 


Since we have two hooking strategies, we split our targets into two sets. To one, we send links pointing to phishing hook. To the other set, we send links pointing to the XSS hook. It’s noteworthy to mention that we need to tweak our server while sending phishing emails. We want to make sure we don't end up in the recipients' spam folders.

• The server name is should be set correctly to match the sending domain name.
• The reverse PTR record of the phishing domain name should match the server’s IP.
• There should be an SPF record allowing the IP of our server to send emails using the phishing domain. This is a good SPF record builder from Microsoft.
• Make sure that the server’s ISP IP blocks are not on any email spam blacklists. This is a handy free online blacklist checker.

These are all common tactics mail filters check for to identify spam.

The next hooking ground we target is social networking. We start by participating in group conversations and rants about work environment, politics, ...etc. but never in a direct conversation to keep our secret identity. Keeping our opinion with the flow also prevents controversial discussions that may trigger alarms. The target of this phase is to get people familiar with our display names popping on their news feed, so they don’t feel it’s odd when they see a link as our first interaction. After a day or two of interactivity, we start the fun! We send a few buzzing words with a link to check the details. Buzzing social network announcements have to rely on psychological need for a wide range of employees. This can be found from what people are saying about their company on Facebook and twitter. At Contoso, based on what we found, we thought of a few good buzzing messages:

• On twitter, we tweet ”OMG! <CEO name> has resigned! Embarrassing video <hook link> #screwContosoBoard” with retweets from different accounts.
• On Facebook, on the non-official group we broadcast the following buzzing messages from different fake profiles and maybe choose one of them to be shared on the wall some of the fake profiles:
• “Big bonus for referral to this vacancy <hook link>, do you know anyone?”
• “Sign with us this petition to demand a salary raise <hook link>. Be positive and we will make a  difference!”



We might even get to the secret cow level if we combine social engineering with physical materials that links to the hook. Good examples include:

• Fill Contoso near-by streets with Stickers having a QR code with the XSS exploit link.
• Distribute ad-like flyers in front of Contoso’s HQ with a short URL to the phishing page.


Adding Sinkers
Now that we have some people clicking links and getting hooked, we need to keep them hooked for as long as possible. Our sinking strategy relies on social engineering in addition to two helping modules in BeEF.

The greatest sinker of all is how we engineer the phishing/XSS pages to convince the people to stay more. As mentioned earlier, the progress bar is a good trick. When combined with suitably entertaining animations, it would do the job.

The pop-under module serves as a good persistence technique as well. We set its configuration to auto-run (from it’s corresponding config.yaml) such that it runs whenever a user is hooked. The module attempts to open a small pop-under window that to keep the browser hooked even if the user closes the main tab. Be careful, though, sometimes this gets blocked by pop-up blockers.


We also want to use the man-in-the-browser module. We'll set this to auto-run as well. This ensures that, whenever the zombie clicks on any link on the phishing page, the next page will still be hooked. Someone would have to manually type a new address in the address bar to get away from our hook.

Finally, we use the "frame-above" module wich is the best option for persistence if we are dealing with IE. It basically rewrites all links on the webpage to spawn a 100% by 100% iFrame with a source relative to the selected link; allowing ultra persistence. Michele "antisnatchor" Orru, BeEF's Lead Core Developer, talked about an Ultra cool way to automate the whole process at AthCon 2012 and even created a Ruby script that utilizes our latest REST API to do Java 1.6.0u27 mass pwnage!

In the next post, we will talk about how to do the real fun: exfiltrate sensitive data, hop into the internal network, and common pen test practices to limit the scope and prevent counter attacks.