This post was contributed by Christian Frichot (@xntrik).
These days exploiting XSS ﬂaws, whilst still common, is not as easy as it used to be. What, with the number of preventative controls really starting to stack up, you can see why attackers (read: pen testers :P) are starting to look at other means to entice a victim (read: authorising party) to bite on their hook. The following are just a few of those XSS controls:
- Developers slowly starting to use input/output encoding/escaping;
- Development frameworks slowly making it more and more difficult to accept or output unﬁltered codes by default;
- Browser in-built XSS controls, such as those within IE and Chrome;
- Add-on XSS controls, such as NoScript;
- Content-Security-Policy headers.
- Michele’s enhancements in the social engineering space (BeEF web cloning, mass mailing etc.);
- Ryan Linn’s recent work in the MITM space (BeEF Shank - MitM for Pentests)
In addition to Michele’s social engineering extensions, a couple of other extensions exist within BeEF that allow an attacker can hook a victim. These are the ‘Custom Hook Point with iFrame Impersonation’ (the customhook extension), and the ‘QR Code Generator’ (the qrcode extension). You can use these extensions separately, but combining them really helps an attacker successfully perform a browser-based social engineering attack. The customhook extension simply offers the attacker a custom mount point (beefserver.com/thisisacustommountpoint) within BeEF that when visited by a browser loads up the BeEF hook, and then loads a full-screen iframe of the target website. While similar in concept to the web cloning extension, this extension does not require a downloading of the target website. Due to how the extension displays the target website in an iFrame, it only works when the target site does not utilise any frame-busting code. We here at BeEF prefer diversity in the ways in which you can use the tool, just like we enjoy a variety of different cuts (top, sirloin, shankle, tongue, tenderloin etc).
You could use a customhook by itself quite nicely, ﬁre up BeEF, trick a user (using shortened URLs for example) into visiting the custom mount point and away you go. But why stop there? You know how much we love hooking mobile devices right? This is where the qrcode extension can come into play. For those who haven’t seen QR codes before they’re the new fad in mobile/advertising that are meant to be trivial for mobile devices to point at and then perform an action, such as visit a URL. The qrcode extension itself is very basic, all it does is take a URL, and then give you back a Google Chart URL which generates the QR code for you. While you can use the extension if you wish, you can just as easily hit up https://chart.googleapis.com/chart?cht=qr&chs=300x300&chl=<inserttargeturlhere>
Tying it all together now, edit the beef/extensions/customhook/conﬁg.yaml ﬁle:
To leverage the QR code extension, edit beef/extensions/qrcode/conﬁg.yaml ﬁle:
Modify the enable to ‘true’ then drop your URL into the target setting.
When you start BeEF you should see the console respond with:
|console response with custom hook and qrcode links|
Happy ﬁshing BeEFers!
-Christian ‘@xntrik’ Frichot