This post was contributed by contributed by Christian Frichot (@xntrik).
Where would BeEF be without hooking? Not very far. The concept of utilising a browser to gain information on a target, or better yet, compromise other systems, relies on a very important first step: hooking the browser. In BeEF parlance, this is the moment a browser executes the initial JavaScript payload (/hook.js) successfully and sets up a persistent communication channel back to the BeEF server. During BeEF’s early days as a young, unwieldy PHP app (hehe, you know I’m joking Wade, it kicked ass even back then), this initial hook was often times a cross-site scripting (XSS) flaw that was being exploited to inject the hook into a vulnerable website, which was then subsequently executed by a victim browser.
These days exploiting XSS flaws, whilst still common, is not as easy as it used to be. What, with the number of preventative controls really starting to stack up, you can see why attackers (read: pen testers :P) are starting to look at other means to entice a victim (read: authorising party) to bite on their hook. The following are just a few of those XSS controls:
- Developers slowly starting to use input/output encoding/escaping;
- Development frameworks slowly making it more and more difficult to accept or output unfiltered codes by default;
- Browser in-built XSS controls, such as those within IE and Chrome;
- Add-on XSS controls, such as NoScript;
- Content-Security-Policy headers.
- Michele’s enhancements in the social engineering space (BeEF web cloning, mass mailing etc.);
- Ryan Linn’s recent work in the MITM space (BeEF Shank - MitM for Pentests)
In addition to Michele’s social engineering extensions, a couple of other extensions exist within BeEF that allow an attacker can hook a victim. These are the ‘Custom Hook Point with iFrame Impersonation’ (the customhook extension), and the ‘QR Code Generator’ (the qrcode extension). You can use these extensions separately, but combining them really helps an attacker successfully perform a browser-based social engineering attack. The customhook extension simply offers the attacker a custom mount point (beefserver.com/thisisacustommountpoint) within BeEF that when visited by a browser loads up the BeEF hook, and then loads a full-screen iframe of the target website. While similar in concept to the web cloning extension, this extension does not require a downloading of the target website. Due to how the extension displays the target website in an iFrame, it only works when the target site does not utilise any frame-busting code. We here at BeEF prefer diversity in the ways in which you can use the tool, just like we enjoy a variety of different cuts (top, sirloin, shankle, tongue, tenderloin etc).
You could use a customhook by itself quite nicely, fire up BeEF, trick a user (using shortened URLs for example) into visiting the custom mount point and away you go. But why stop there? You know how much we love hooking mobile devices right? This is where the qrcode extension can come into play. For those who haven’t seen QR codes before they’re the new fad in mobile/advertising that are meant to be trivial for mobile devices to point at and then perform an action, such as visit a URL. The qrcode extension itself is very basic, all it does is take a URL, and then give you back a Google Chart URL which generates the QR code for you. While you can use the extension if you wish, you can just as easily hit up https://chart.googleapis.com/chart?cht=qr&chs=300x300&chl=<inserttargeturlhere>
Tying it all together now, edit the beef/extensions/customhook/config.yaml file:
 |
| customhook config.yaml |
To leverage the QR code extension, edit beef/extensions/qrcode/config.yaml file:
 |
| qrcode config.yaml |
Modify the enable to ‘true’ then drop your URL into the target setting.
When you start BeEF you should see the console respond with:
 |
| console response with custom hook and qrcode links |
Happy fishing BeEFers!
-Christian ‘@xntrik’ Frichot
There's also a web design company in Long island which performs this kind of website security protection to avoid any unwanted malwares in penetrating to the site itself. Good way to ensure that the site you got will not be hacked or infected.
ReplyDeleteLuisa Will
This comment has been removed by the author.
ReplyDeleteIf you want to start a small online advertising agency then you should contact a person with this kind of knowledge with Browser Exploitation Framework (BeEF). There is a high risk that your website can be hacked or injected from an unknown source so security is the priority.
ReplyDeleteLara Thompson
Thanks for this brief lesson in manipulating the codes. Web designers are much aware of the possible attacks so we need security. - Ben Griffiths
ReplyDeleteThere's one tiny detail that developers keep forgetting here. Thanks for pointing that out!
ReplyDelete- Claudia Lacey
can anyone explain how to setup static ip for beef?for using it over internet? . . iam wondering this and can't find any info about it . i think it is a lot of peoples problem too . thanks
ReplyDelete