Thursday, September 13, 2012

BeEF web cloning, BeEF mass mailing, Social Engineering with better BeEF!

After a week of hard work, I'm pleased to release a new Social Engineering extension that will come very handy during your social engineering attacks that involve Phishing, both email and web based.

Now BeEF has its own web cloner, and its own mass mailer! But, there are tools out there that do this already, you say. Why should I use BeEF to do this, you ask?

Because it's BeEF! While there are other tools out there to do these things, I've made some improvements to how these are done when adding them into BeEF. We're talking about things like cloning web pages with an exact path, automatic BeEF hooking, and finally a mass mailer that supports HTML emails... well, you should really read this whole post.

You are probably already aware that you can already do web cloning, credential harvesting and mass mailing with other tools. At the time of this writing though, these tool modules have various limitations. For example:
  • When you clone a web page, you cannot arbitrarily specify the exact path where you want to serve the cloned page from. For instance, if you clone hxxp://example.com/customer/login.aspx and your phishing domain is http://exaample.com, you cannot mount the cloned page on  http://exaample.com/customer/login.aspx Instead, you have to use http://exaample.com/ unless you don't patch the tool by yourself. 

  • Also, after a POST request is intercepted, the victim control is lost (unless you don't use other attacks that pwn the victim machine first). 
  • Finally, you cannot have one instance of the tool that is serving multiple phishing pages (in case you want to do that).

  • When you use the mass mailer, you cannot send HTML emails. By default the degree of customization of your email is very limited, meaning that when you create a template you can specify only a subject, a body and an attachment. The email is always sent in plain text. In many attack scenarios, when you already profiled your victim (so you know already email/name and you probably have also an HTML email with company footer/branding), you want to send targeted emails that looks exactly the same as the one she will usually receive, a legitimate one.
I was frustrated with these limitations. I always needed to customize these tools in order to include BeEF hooks, so, I got bored and decided to write my own code.

The BeEF web cloner has the following features:
  • Clone the page you want, and mount it where you want (including exact path). You can clone multiple pages and mount them in multiple different locations. You can also specify if you want to mount the exact clone, or mount a different file of your own (for instance, after you applied your custom modifications that are easier to accomplish manually rather than with a parser);
  • The page that has been cloned is automatically modified in multiple ways: the BeEF hook is added - in a way that the victim will be automatically hooked in BeEF as soon she's on the page - and the 'form' fields are modified in order to intercept POST requests (credentials sent to a login page, for instance);
  • Finally, if the original page you cloned can be framed (currently the extension checks only for X-Frame-Options, not for custom framebusting code), after the victim clicks on the login page - and the POST request is intercepted - the original page will be loaded in an overlay iFrame while keeping the browser hooked in BeEF. 
The BeEF mass mailer has the following features:
  • Connects to an SMTP server on the port you want (with/without TLS), and send highly customizable emails based on a template you choose to N victims you specify. When specifying your victim emails, you also associate every email with a name, so the final email will look more legitimate (like, Hi Michele, then next Hi Wade, etc... depending on the recipient). The mass_mailer configuration options and the default email template file structure are shown here below:

  • Template creation is actually where the fun starts. You are completely free to create both a plain text and an HTML email with the content you want. What I usually do, while having already the original legitimate HTML email of the victim, is the following:
    • copy and paste the original HTML content on your new template file mail.html;
    • if the email contains images (in the form of <img src="http://a.com/b.png" />),  download those emails in the template directory;
    • then configure the config.yaml file by adding your new template, specifying which images you have, and assigning a Content Id to each of them;
    • using the Content Ids, edit the mail.html file modifying each image source with something like <img src="cid:__cidX__" /> , where X is the id of the CID of the image you want in that position;
    • finally, place __name__ and __link__ / __linktext__ placeholders where you want, as those values will be automatically replaced with content you want.
The default template email looks like the following:

And it looks like this when it's received from a mail client:


Note that the fromname (BeEF) can be always spoofed when creating an email, and you're free to specify the value you want. Also, by default, many mail clients displays only the fromname field instead of the full email address.
Both the web cloner and the mass mailer functionality are currently exposed only via the RESTful API. To clone https://example.com/login.aspx and mount it on /login.aspx on BeEF, use the following curl request:(update [BeEF]; and [token]; accordingly):
curl -H "Content-Type: application/json; charset=UTF-8" -d
 '{"url":"https://example.com/login.aspx", "mount":"/login.aspx"}' 
 -X POST http://[BeEF]/api/seng/clone_page?token=[token];

To send an email using the default template, with custom fromname/subject/link/linktext values, to 2 recipients, use the following curl request (update [BeEF] and [token] accordingly):
curl -H "Content-Type: application/json; charset=UTF-8" -d 
  '{"template": "default","subject": "your subject","fromname": "BeEF","link": 
  "http://[BeEF]/login.aspx","linktext": "https://example.com/login.aspx","recipients":
  [{"michele@example.com":"Michele","wade@example.com":"Wade"}]}
  ' -X POST http://[BeEF]/api/seng/send_mails?token=[token];

A few notes. The extension is (currently) not compatible with Windows, because it uses wget to clone the web page, and file to determine the correct mime type for inline/attachment email contents. Other than that, it leaves you to set up a public server with a proper domain name an MX records for the SMTP server (in case you cannot use the victim SMTP server for spoofing purposes).

Finally, don't forget to change beef.http.host in the main config.yaml file to your public  server IP address.

Having these two nice tools, you can plan your social engineering campaigns using both web and email phishing, while using BeEF to do the dirty work. What I usually do is script everything with the RESTful API: clone a page, include that phishing link on a new mass mailer template, send the emails to my targets, hook them all in BeEF, launch targeted command modules, and (thanks to BeEF's awesome browser/plugin detection) wait for reverse shells :D

Have fun!  

1 comment:

  1. Was setting up a Tor hidden service with BT5 r3 - and guess what your stuff was installed into apache2. So my hidden service is working and I plan on getting BeEF working in Tor as a service.
    There might be a need for this tool in Tor if I understand your madness.. - Tor Site - otwxbdvje5ttplpv.onion
    - clearWeb uscyberlabs.com/blog
    - @gAtOmAlO2 - let me know if I can be of service...
    later

    ReplyDelete