Monday, May 21, 2012

BeEF In a Real World Pen Test - Part 2: Tasty BeEF nuggets, line, hook and sinker (Social Engineering to get a hook)



In the first part of this series, we explained pre-hooking basics for reaching the maximum number of targets. In this post, we will go through the hooking process; taking into consideration the different social and technical aspects to hook the target’s browsers for as long as possible.

Preparing The Line
During recon of our target, Contoso.com, we harvested a few e-mails, and infiltrated some social media outlets. Some tips from the conversations we observed between employees led us to the non-official Facebook group for Contoso. Here, we learned that an internal football tournament is held yearly in a nearby stadium. It's organized by an internal "Sports Committee." 

We even found some pictures of last year's winners holding a trophy. We also spotted a couple of people talking about internal e-mails with special discounts on sunglasses as part of an employee benefit program.

On Twitter, we found a couple of interesting hash tags: #screwContosoBoard with quite a bit of anger from employees towards Contoso's management and board of directors.

We also bought a phishing domain "Contso.com" and a valid SSL certificate for it. Finally, quick web vulnerability scanning identified a reflected cross-site scripting(XSS) vulnerability on Contoso's main website.

We will use this information to build our hooking strategy. We want to use our phishing domains and XSS exploit links to lure browsers at three main frontiers: Corporate email, Facebook and Twitter.


Preparing The Hook
First, we set the hook on our phishing page. It should have the same anatomy of the original website (Header, footer, side panes, CSS, ...etc), served on our “secure” SSL enabled phishing page on Contso.com.  We'll add a loading progress bar in the middle pane and put up a user friendly message that says "this page might take some time to load." We'll set up the progress bar with an inverse exponential decaying function. The Javascript code below is an example of the progress code that can be used.



totalProgress = 100;
currentProgress = 1.0;

while (currentProgress < totalProgress)
{
    currentProgress =  currentProgress + (Math.exp(currentProgress  / -3) );
    sleep(100);
}

Disclaimer: None of this code is taken from the Windows file copying progress bar module, any similarities in function is a mere coincidence!

By going fast at the beginning, and slower towards the end, our hope is the visitor should feel encouraged, safe, and be less likely to close the page out of boredom. We even hope the user will switch tabs, leaving this in the background to load, and give us a longer chance to hook and do our BeEFY tricks.


Second, we prepare our XSS exploit link. The XSS Javascript exploit should inject BEeF’s hook into the vulnerable page. The exploit link should rewrite the center pane of the vulnerable page to remove any original content and add the loading progress bar. It should look identical to our phishing domain. This should decrease the probability of the victim noticing anything wrong and maximize the time he will stay hooked. Furthermore, we can use some basic link obfuscation to trick savvy victims. This can be achieved by forcing URL encoding for the whole value of the vulnerable parameter (including readable text). For example, the query parameter:




search=”<script src=”test.js”> 

should look like:

search=%22%3c%73%63%72%69%70%74%20%73%72%63%3d%1d%74%65%73%74%2e%6a%73%22%3e 

Also, URL shortening services can be a good tool for hiding the main link. They are very common for use on social networks, especially on Twitter.



Hooking Grounds
The first hooking ground we target is corporate email. We need to get our hands on a sample from Contoso’s internal email to make our phishing emails look more convincing. We want to match internal email anatomy (headers, fonts, text colors, signatures, ...etc). 


We'll need to do some more social engineering. We use our fictional profile to go into the conversation about the sunglasses and ask for more details. Posing as a clueless new employee of Contoso, we receive a couple of responses about how the discount works. We take the discussion away from the public group to a private one-on-one conversation with the most friendly respondents, and ask them to forward the email to a non-corporate email under the ruse that our corporate email is not fully active yet. 


Bingo! Now that we have the email, we craft a new one having the same anatomy of the sample we have, announcing the launch of a new football tournament. The email should appear to come from the sports committee and should have in the “to” field the same group name as the one from the original discount email. In the email body, we salute last year’s winners and add their picture with the trophy for a more convincing flavor; assuring people about the authenticity of the email. 


And of course, we end the email with a “find out more” link that points to our hook. 


Since we have two hooking strategies, we split our targets into two sets. To one, we send links pointing to phishing hook. To the other set, we send links pointing to the XSS hook. It’s noteworthy to mention that we need to tweak our server while sending phishing emails. We want to make sure we don't end up in the recipients' spam folders.


  • The server name is should be set correctly to match the sending domain name.
  • The reverse PTR record of the phishing domain name should match the server’s IP.
  • There should be an SPF record allowing the IP of our server to send emails using the phishing domain. This is a good SPF record builder from Microsoft.
  • Make sure that the server’s ISP IP blocks are not on any email spam blacklists. This is a handy free online blacklist checker.


These are all common tactics mail filters check for to identify spam.

The next hooking ground we target is social networking. We start by participating in group conversations and rants about work environment, politics, ...etc. but never in a direct conversation to keep our secret identity. Keeping our opinion with the flow also prevents controversial discussions that may trigger alarms. The target of this phase is to get people familiar with our display names popping on their news feed, so they don’t feel it’s odd when they see a link as our first interaction. After a day or two of interactivity, we start the fun! We send a few buzzing words with a link to check the details. Buzzing social network announcements have to rely on psychological need for a wide range of employees. This can be found from what people are saying about their company on Facebook and twitter. At Contoso, based on what we found, we thought of a few good buzzing messages:

  • On twitter, we tweet ”OMG! <CEO name> has resigned! Embarrassing video <hook link> #screwContosoBoard” with retweets from different accounts.
  • On Facebook, on the non-official group we broadcast the following buzzing messages from different fake profiles and maybe choose one of them to be shared on the wall some of the fake profiles:
    • “Big bonus for referral to this vacancy <hook link>, do you know anyone?”
    • “Sign with us this petition to demand a salary raise <hook link>. Be positive and we will make a  difference!”


We might even get to the secret cow level if we combine social engineering with physical materials that links to the hook. Good examples include:

  • Fill Contoso near-by streets with Stickers having a QR code with the XSS exploit link.
  • Distribute ad-like flyers in front of Contoso’s HQ with a short URL to the phishing page.

Adding Sinkers
Now that we have some people clicking links and getting hooked, we need to keep them hooked for as long as possible. Our sinking strategy relies on social engineering in addition to two helping modules in BeEF.

The greatest sinker of all is how we engineer the phishing/XSS pages to convince the people to stay more. As mentioned earlier, the progress bar is a good trick. When combined with suitably entertaining animations, it would do the job.

The pop-under module serves as a good persistence technique as well. We set its configuration to auto-run (from it’s corresponding config.yaml) such that it runs whenever a user is hooked. The module attempts to open a small pop-under window that to keep the browser hooked even if the user closes the main tab. Be careful, though, sometimes this gets blocked by pop-up blockers.


We also want to use the man-in-the-browser module. We'll set this to auto-run as well. This ensures that, whenever the zombie clicks on any link on the phishing page, the next page will still be hooked. Someone would have to manually type a new address in the address bar to get away from our hook.


Finally, we use the "frame-above" module wich is the best option for persistence if we are dealing with IE. It basically rewrites all links on the webpage to spawn a 100% by 100% iFrame with a source relative to the selected link; allowing ultra persistence. Michele "antisnatchor" Orru, BeEF's Lead Core Developer, talked about an Ultra cool way to automate the whole process at AthCon 2012 and even created a Ruby script that utilizes our latest REST API to do Java 1.6.0u27 mass pwnage!

In the next post, we will talk about how to do the real fun: exfiltrate sensitive data, hop into the internal network, and common pen test practices to limit the scope and prevent counter attacks.

51 comments:

  1. employee benefit trust

    Legallly reduce corporation tax and avoid income tax with the successor to the Emplyee Benefit Trust (EBT) the EFRBS II. Employee Benefit Trusts.Announcement of a settlement opportunity for the users of Employee Benefit trusts, to obtain certainty quicker than by waiting for the results of litigation

    ReplyDelete
  2. The future of software testing is on positive note. It offers huge career prospects for talented professionals to be skilled software testers. software testing course in Chennai | Software Testing Training in Chennai | Software testing course in Chennai

    ReplyDelete
  3. Thanks for sharing a valuable article, please keep sharing such more articles.
    Best Selenium training in Chennai
    Selenium training in Chennai

    ReplyDelete
  4. Are you looking for best website to download eBook torrents for free? Then EbookShare will be the right place. kovalanj

    ReplyDelete
  5. This is a comprehensive post. I recommend this topic.This site has lots of interest concepts.I found several important things from this site. It supports me in many ways.Thanks for supporting this again.
    Hadoop Training in Chennai | Selenium Training in Chennai | Software Testing Training in Chennai | Java Training in Chennai

    ReplyDelete
  6. The infinity of software testing is on the accurate note. It contributes huge career forecasts for talented specialists to be skilled software testers.Thanks for the very gradually information.
    Selenium Training in Chennai | Selenium Training Institute in Chennai

    ReplyDelete
  7. Nice article, interesting to read , keep more post seo training

    ReplyDelete
  8. I simply wanted to write down a quick word to say thanks to you for those wonderful tips and hints you are showing on this site.
    Best Hadoop Training Institute In chennai

    ReplyDelete
  9. This blog will help to get more ideas. This is very helpful for Software Testing learners. Thank you for sharing this wonderful site.
    Software Testing Training in Chennai | Software Training Institutes in Chennai | Software Testing Courses in Chennai | Testing Courses in Chennai

    ReplyDelete
  10. This article provides the information about Java its key features and scope for java professionals. This information is really helpful me to know more about Java programming language.
    bsc projects in chennai | eee projects in chennai

    ReplyDelete
  11. It's interesting that many of the bloggers to helped clarify a few things for me as well as giving.Most of ideas can be nice content.The people to give them a good shake to get your point and across the command.
    advanced java training in chennai | struts training in chennai.

    ReplyDelete

  12. Awesome Post!

    Thanks for sharing very useful information.you can refer best Robotics training in chennai | Silver light training in chennai.

    ReplyDelete
  13. I believe there are many more pleasurable opportunities ahead for individuals that looked at your site.

    python training in Chennai


    ReplyDelete
  14. Thank you for posting this beneficial content material. You provided another one great article in msc project centers in chennai. I hope this information may change my business carrier.I can remember these things whenever taking the decision in realtime mini projects in chennai.

    ReplyDelete
  15. Yiioverflow presenting one of the best and high performance PHP framework. Fast, secure and extremely professionals are developing applications. We guide to implement mobile app development and SOA hybrid applications.Code in Nodejs, Angular,Ionic,ReactJS and Yiiframework.

    ReplyDelete
  16. This was an nice and amazing and the given contents were very useful and the precision has given here is good.
    Digital Marketing Training in Chennai

    ReplyDelete
  17. very informative article.hope you will keep your sharing
    Python Training in Chennai

    ReplyDelete
  18. PhD Thesis Writing Services https://www.wordsdoctorate.com/

    Dissertation Writing Services https://www.wordsdoctorate.com/dissertation-writing-services/

    Research paper Writing Service https://www.wordsdoctorate.com/journal-papers/

    Master Thesis Writing Service https://www.wordsdoctorate.com/masters/

    thesis writing service https://www.wordsdoctorate.com/phd/

    ReplyDelete
  19. This is really an awesome one thanks to the author for a wonderful sharing.
    AWS Training Course in chennai


    ReplyDelete
  20. The blog or and best that is extremely useful to keep I can share the ideas of the future as this is really what I was looking for, I am very comfortable and pleased to come here. Thank you very much.

    Digital Marketing Course in Chennai
    Digital Marketing Training in Chennai
    Online Digital Marketing Training
    SEO Training in Chennai
    Digital Marketing Course
    Digital Marketing Training
    Digital Marketing Courses

    ReplyDelete
  21. I wish to show thanks to you just for bailing me out of this particular trouble.As a result of checking through the net and meeting techniques that were not productive, I thought my life was done.


    python training in pune

    ReplyDelete

  22. I've been surfing on the web more than 3 hours today, yet I never found any stupefying article like yours. It's imperatively worth for me. As I would see it, if all web proprietors and bloggers made confusing substance as you did, the net will be in a general sense more profitable than at whatever point in late memory.

    Digital Marketing Training in Mumbai

    Six Sigma Training in Dubai

    Six Sigma Abu Dhabi

    ReplyDelete
  23. I think this is a great site to post and I have read most of contents and I found it useful for my Career .Thanks for the useful information. For any information or Queries Comment like and share it.

    PMP Training Abu Dhabi

    GDPR Training in Hyderabad

    Digital Marketing Training in Hyderabad


    six sigma Training Pune

    ReplyDelete

  24. Appreciation for really being thoughtful and also for deciding on certain marvelous guides most people really want to be aware of.

    Spark Training in Chennai
    Spark with Scala Training in Chennai

    ReplyDelete
  25. Very nice post here and thanks for it .I always like and such a super contents of these post.Excellent and very cool idea and great content of different kinds of the valuable information's.
    Good discussion. Thank you.
    Anexas
    Six Sigma Training in Abu Dhabi
    Six Sigma Training in Dammam
    Six Sigma Training in Riyadh

    ReplyDelete
  26. I have to voice my passion for your kindness giving support to those people that should have guidance on this important matter.
    nebosh course in chennai

    ReplyDelete
  27. Amazing Article ! I have bookmarked this article page as i received good information from this. All the best for the upcoming articles. I will be waiting for your new articles. Thank You ! Kindly Visit Us @ Coimbatore Travels | Ooty Travels | Coimbatore Airport Taxi

    ReplyDelete
  28. Great Article… I love to read your articles because your writing style is too good, its is very very helpful for all of us. Do check R Programming Course Fees & Get trained by an expert who will enrich you with the latest trends.

    ReplyDelete
  29. Existing without the answers to the difficulties you’ve sorted out through this guide is a critical case, as well as the kind which could have badly affected my entire career if I had not discovered your website.
    safety course in chennai

    ReplyDelete