Monday, May 14, 2012

BeEF In a Real World Pen Test - Part 1: BeEFy Marinades (Pre-hooking Profiling and Trust Yield)

In this installment, we'll be talking about pre-hooking activities: how to build on the information from our target with social engineering to gain the trust required for stable BeEFed browsers.

Part I: Assumptions
Our engagement is a ten day project. As part of the standard engagement, the basic information we get from our client is:
  • Target company’s external IP address range.
  • The names of CEO, IT director, HR manager, and the names of a couple of normal employees.
  • The most important asset of the company (e.g. financial records, network availability,...etc ).

We'll want a phishing domain and some social media presence for our cons. For this scenario, we'll use Microsoft’s notorious fictional company, Contoso Ltd. (“We love Microsoft!”, as the Three Musketeers would say. Kudos Ed Skoudis, Kevin Johnson and Joshua Wright).

Part II: Pre-requisites
For our phishing campaign, we need e-mails that make it past spam filters with convincing links that will secure our targets. Good phishing domains for include variations in letter ordering, TLD interchange, or use of unicode characters (e.g.,,, Ć, ċ, ...etc). One great tool that can help find a suitable phishing domain is URLCrazy. It's a domain name typo generator that lists various common typos for a given domain.

Since this is a domain we actually own, we can even go one step further and purchase a valid SSL certificate for the phishing domain to ensure visitors that they are “secure”. But since SSL certificates usually take time, it’s a good idea to start this process as soon as the project kicks off.

Employees will probably interact with people they don't know within their organization. With the right fake profiles, this interaction is even easier on social networks. We create several fake profiles to target  wider classes of people. Consider:
  • Statistically, people tend to accept friend requests from females more readily than from males.
  • The display name of a fake profile should be as generic as possible. Research and use common first and last names at the target company’s country.
  • Provocative female avatars will increase acceptance by males, but will lessen the  probability of females accepting friend requests. It may also raise moral issues for married or religious people. Therefore, cartoonish female display pictures (e.g. Belle from the beauty and the beast) may give the profile a perfect “generic” look, allowing wider audience acceptance.
  • It is important to create fake profiles that pretend to work in the target company.
  • Vagueness leaves the details to the imagination of the people. It’s better to be vague than to trigger an alert that might reveal your fake identity. Hide most information to be as generic as possible.
Part III: Set the lines
Starting with the names we have, we expand our circle. We search for our target employees on Facebook, Twitter, Linkedin, etc. and filter out wrong profiles having the same name based on job description and/or picture. Then, we identify all related friends and classify profiles into:
  • Class A targets: employees working at the target company in key positions
    that give them access to valuable information (e.g. HR, System admins,
  • Class B targets: Normal employees working at the target company.
  • Class C targets: Friends of Class A people
  • Class D targets: Friends of Class B people.

Over the course of a day or two, we start interacting, following and friending people from the least important to the most important targets. Well timed interactions are crucial here. More important targets should not notice any flaws in the fake profiles’ activities. So, follow this pattern:
  1. Send friend requests to many class D targets
  2. When you have some class D friends in common with a class B target, add this class B target.
  3. Repeat steps 1 and 2 till you have a significant number of class B targets.
  4. Start adding class C targets
  5. When you have some class C friends for a class A target, add this class A target.
  6. Repeat steps 4 and 5 till you have a significant number of class A targets.

The process can be partially automated using the Facebook exploitation framework (FBPwn). Because people sometimes accept the friend request for a small period of time, it is critical to save relevant information as quickly as possible. Also, FBPwn gives you other options to pull off more advanced social engineering tricks.

Depending on the activity level of the targets, this process should take no more than two or three days. Be as friendly and generic as possible, and save any information you get. Key information to look for and save for future reference:
  • Posts mentioning interactions, rants, and or events happening inside the target company.
  • Company specific lingo and keywords.
  • Company specific or commonly used hashtags.
  • Conversations taking place between two people in the company.

In the next post in this series, we'll talk about how to use this information to bait and set the hook, and what we can do with the  phish once we have them on the line.


  1. Trust yield proves dividends when it comes to it jobs in uk. A stable company with a good track record will always attract top talent.

  2. There are a lot of internet businesses that make money nowadays and the information you have shared might just jump start a lot of entrepreneurship endeavors of your readers.

  3. Interesting points you got here. I believe these are the reasons why most companies strive to exist in the market. I'd like to point out that having an exemplary network system is also a big factor.

    Mischna Ong

  4. Saving money is not a smart practice for families who are hoping to receive future financial aid for higher education. A much better alternative is to buy or rent a bigger house in a better community with a better school system for K-12. I realized this after I write my thesis at college.

  5. Internet is very useful now. I'm a writer and these platforms help me, too. For example, here I can find advices how to be a good writer.

  6. Thanks for the detailed instructions. Earlier it was difficult for me to understand this issue because I received a liberal arts education and not a technical one. You write very easily for understanding and I'm ready to read your blog from start to finish. In turn, I want to share with you my creative thoughts in my online homework service blog that will help you in writing papers.

  7. Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.

    Selenium with python Training in Electronic City

  8. Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.

    Selenium with python Training in Electronic City

  9. Information from this blog is very useful for me, am very happy to read this blog Kindly visit us @ Luxury Watch Box | Shoe Box Manufacturer |  Candle Packaging Boxes

  10. Take the plunge into the pre-owned video game market. Many gamers will purchase a game and finish the game quite quickly. Many stores allow these games to be traded in and then sell them at a reduced cost. This could be the most cost-effective way for you to get newer games without the high cost.

  11. You can leave all the stressful work to us so that we handle it for you and assure you of delivering excellent online nursing essay writers to you all the time in our best custom research paper site company.

  12. Really very informative and creative. This sharing concept is a good way to enhance knowledge.

  13. IF you are working on Quickbooks software and faced any kind of issue whether installation or any kind of error, In that case you can contact Quickbooks Contact Number for help. They will help you with the best possible solution for your issue.

  14. تحارب الشركة أيضًا جميع أنواع الثعابين وتوفر عددًا كبيرًا من الطرق الحديثة لضمان عدم عودة الثعابين إلى مكانها مرة أخرى وبسعر مناسب لجميع العملاء.
    شركة مكافحة حشرات
    شركة مكافحة النمل الابيض بسكاكا

  15. With our Write my Research Paer Services we not only write the Cheap Nursing Term Papers for the students but also guide them on how they can be able to write an academic paper by themselves.

  16. Any job interview should aim at obtaining important information while building rapport with the candidate. However, some questions asked during the interview may be too personal. So that better understand about it, read these interview topics.

  17. Thanks for sharing such a great blog... I am impressed with you taking time to post a nice info.
    iPad Application Development
    Hybrid App Development
    Web Development Services

  18. This comment has been removed by the author.

  19. khasiat dari obat tersebut bisa memberikan manfaat pada pasutri yang ingin mendapatkan kepuasan dalam bercinta agar kedua pasangan semakin harmonis ketika bercinta klik tautan ini . bagi anda yang ingin mendapatkan viagra asli usa 100mg cod di jakarta selatan bisa anda beli diberbagai tempat asal sudah terbukti dengan keaslian produk dengan cara mengenali viagra usa asli pfizer 100 mg langsung dari berbagai situs yang sudah terpercaya atau dari refrensi teman yang sudah menggunakan viagra asli usa pfizer 100 mg silahkan anda berkunjung kesitus resmi agen yang ada diindonesia dan yang secara resmi menjadi agen distributor viagra asli usa 100 mg sejak tahun 1995 sampai sekarang. klik disini . selanjutnya ada produk dari amerika lainnya yang sangat terkenal baru-baru ini yaitu vimax asli berkhasiat untuk ereksi dan untuk memperbesar alat vital pria secara permanen berguna untuk memaksimalkan kepuasan saat diranjang.

  20. Your management skill is your spokesperson for the company cursos de ti

  21. It's very good post which I really enjoyed reading. It is not everyday that I have the possibility to see something like this.
    Play krunker io aimbot

  22. This is a great inspiring article. I am pretty much pleased with your good work. You put really very helpful information. Keep it up. Keep blogging. Looking to reading your next post. Software Promo Codes

  23. I’m really amazed with your posting skills as well as with the layout on your blog site
    google goggles for pc

  24. القضاء على الدبابير تنتشر الحشرات الطائرة بكثرة في فصل الصيف، وقد تُسبّب الأذى للإنسان؛ لذلك لا بدّ من القضاء عليها، حيثُ تتجمّع الدبابير في أعشاش حول المنزل وخصوصاً على الشجيرات، فيتمّ القضاء عليها من خلال التخلّص من هذه الأعشاش، ولكن مع أخذ الحذر الشديد أثناء ذلك.

    شركة مكافحة النمل الابيض بالدمام
    شركة مكافحة النمل الابيض ببريدة
    شركة مكافحة النمل الابيض بالقطيف
    شركة مكافحة النمل الابيض بالخرج

  25. Thank you for that information you article click on here

  26. Very Effective Tips. Thanks for sharing. Checkout my latest How to check your name on Npower List

  27. Hello! This is my first visit to your website! Your website provided us useful information to work on. Would like to visit this website again and again.
    Front End Developer
    full stack developer
    ios developer
    app development