Monday, May 21, 2012

BeEF In a Real World Pen Test - Part 2: Tasty BeEF nuggets, line, hook and sinker (Social Engineering to get a hook)

In the first part of this series, we explained pre-hooking basics for reaching the maximum number of targets. In this post, we will go through the hooking process; taking into consideration the different social and technical aspects to hook the target’s browsers for as long as possible.

Preparing The Line
During recon of our target,, we harvested a few e-mails, and infiltrated some social media outlets. Some tips from the conversations we observed between employees led us to the non-official Facebook group for Contoso. Here, we learned that an internal football tournament is held yearly in a nearby stadium. It's organized by an internal "Sports Committee." 

We even found some pictures of last year's winners holding a trophy. We also spotted a couple of people talking about internal e-mails with special discounts on sunglasses as part of an employee benefit program.

On Twitter, we found a couple of interesting hash tags: #screwContosoBoard with quite a bit of anger from employees towards Contoso's management and board of directors.

We also bought a phishing domain "" and a valid SSL certificate for it. Finally, quick web vulnerability scanning identified a reflected cross-site scripting(XSS) vulnerability on Contoso's main website.

We will use this information to build our hooking strategy. We want to use our phishing domains and XSS exploit links to lure browsers at three main frontiers: Corporate email, Facebook and Twitter.

Preparing The Hook
First, we set the hook on our phishing page. It should have the same anatomy of the original website (Header, footer, side panes, CSS, ...etc), served on our “secure” SSL enabled phishing page on  We'll add a loading progress bar in the middle pane and put up a user friendly message that says "this page might take some time to load." We'll set up the progress bar with an inverse exponential decaying function. The Javascript code below is an example of the progress code that can be used.

totalProgress = 100;
currentProgress = 1.0;

while (currentProgress < totalProgress)
    currentProgress =  currentProgress + (Math.exp(currentProgress  / -3) );

Disclaimer: None of this code is taken from the Windows file copying progress bar module, any similarities in function is a mere coincidence!

By going fast at the beginning, and slower towards the end, our hope is the visitor should feel encouraged, safe, and be less likely to close the page out of boredom. We even hope the user will switch tabs, leaving this in the background to load, and give us a longer chance to hook and do our BeEFY tricks.

Second, we prepare our XSS exploit link. The XSS Javascript exploit should inject BEeF’s hook into the vulnerable page. The exploit link should rewrite the center pane of the vulnerable page to remove any original content and add the loading progress bar. It should look identical to our phishing domain. This should decrease the probability of the victim noticing anything wrong and maximize the time he will stay hooked. Furthermore, we can use some basic link obfuscation to trick savvy victims. This can be achieved by forcing URL encoding for the whole value of the vulnerable parameter (including readable text). For example, the query parameter:

search=”<script src=”test.js”> 

should look like:


Also, URL shortening services can be a good tool for hiding the main link. They are very common for use on social networks, especially on Twitter.

Hooking Grounds
The first hooking ground we target is corporate email. We need to get our hands on a sample from Contoso’s internal email to make our phishing emails look more convincing. We want to match internal email anatomy (headers, fonts, text colors, signatures, ...etc). 

We'll need to do some more social engineering. We use our fictional profile to go into the conversation about the sunglasses and ask for more details. Posing as a clueless new employee of Contoso, we receive a couple of responses about how the discount works. We take the discussion away from the public group to a private one-on-one conversation with the most friendly respondents, and ask them to forward the email to a non-corporate email under the ruse that our corporate email is not fully active yet. 

Bingo! Now that we have the email, we craft a new one having the same anatomy of the sample we have, announcing the launch of a new football tournament. The email should appear to come from the sports committee and should have in the “to” field the same group name as the one from the original discount email. In the email body, we salute last year’s winners and add their picture with the trophy for a more convincing flavor; assuring people about the authenticity of the email. 

And of course, we end the email with a “find out more” link that points to our hook. 

Since we have two hooking strategies, we split our targets into two sets. To one, we send links pointing to phishing hook. To the other set, we send links pointing to the XSS hook. It’s noteworthy to mention that we need to tweak our server while sending phishing emails. We want to make sure we don't end up in the recipients' spam folders.

  • The server name is should be set correctly to match the sending domain name.
  • The reverse PTR record of the phishing domain name should match the server’s IP.
  • There should be an SPF record allowing the IP of our server to send emails using the phishing domain. This is a good SPF record builder from Microsoft.
  • Make sure that the server’s ISP IP blocks are not on any email spam blacklists. This is a handy free online blacklist checker.

These are all common tactics mail filters check for to identify spam.

The next hooking ground we target is social networking. We start by participating in group conversations and rants about work environment, politics, ...etc. but never in a direct conversation to keep our secret identity. Keeping our opinion with the flow also prevents controversial discussions that may trigger alarms. The target of this phase is to get people familiar with our display names popping on their news feed, so they don’t feel it’s odd when they see a link as our first interaction. After a day or two of interactivity, we start the fun! We send a few buzzing words with a link to check the details. Buzzing social network announcements have to rely on psychological need for a wide range of employees. This can be found from what people are saying about their company on Facebook and twitter. At Contoso, based on what we found, we thought of a few good buzzing messages:

  • On twitter, we tweet ”OMG! <CEO name> has resigned! Embarrassing video <hook link> #screwContosoBoard” with retweets from different accounts.
  • On Facebook, on the non-official group we broadcast the following buzzing messages from different fake profiles and maybe choose one of them to be shared on the wall some of the fake profiles:
    • “Big bonus for referral to this vacancy <hook link>, do you know anyone?”
    • “Sign with us this petition to demand a salary raise <hook link>. Be positive and we will make a  difference!”

We might even get to the secret cow level if we combine social engineering with physical materials that links to the hook. Good examples include:

  • Fill Contoso near-by streets with Stickers having a QR code with the XSS exploit link.
  • Distribute ad-like flyers in front of Contoso’s HQ with a short URL to the phishing page.

Adding Sinkers
Now that we have some people clicking links and getting hooked, we need to keep them hooked for as long as possible. Our sinking strategy relies on social engineering in addition to two helping modules in BeEF.

The greatest sinker of all is how we engineer the phishing/XSS pages to convince the people to stay more. As mentioned earlier, the progress bar is a good trick. When combined with suitably entertaining animations, it would do the job.

The pop-under module serves as a good persistence technique as well. We set its configuration to auto-run (from it’s corresponding config.yaml) such that it runs whenever a user is hooked. The module attempts to open a small pop-under window that to keep the browser hooked even if the user closes the main tab. Be careful, though, sometimes this gets blocked by pop-up blockers.

We also want to use the man-in-the-browser module. We'll set this to auto-run as well. This ensures that, whenever the zombie clicks on any link on the phishing page, the next page will still be hooked. Someone would have to manually type a new address in the address bar to get away from our hook.

Finally, we use the "frame-above" module wich is the best option for persistence if we are dealing with IE. It basically rewrites all links on the webpage to spawn a 100% by 100% iFrame with a source relative to the selected link; allowing ultra persistence. Michele "antisnatchor" Orru, BeEF's Lead Core Developer, talked about an Ultra cool way to automate the whole process at AthCon 2012 and even created a Ruby script that utilizes our latest REST API to do Java 1.6.0u27 mass pwnage!

In the next post, we will talk about how to do the real fun: exfiltrate sensitive data, hop into the internal network, and common pen test practices to limit the scope and prevent counter attacks.


  1. employee benefit trust

    Legallly reduce corporation tax and avoid income tax with the successor to the Emplyee Benefit Trust (EBT) the EFRBS II. Employee Benefit Trusts.Announcement of a settlement opportunity for the users of Employee Benefit trusts, to obtain certainty quicker than by waiting for the results of litigation

  2. The future of software testing is on positive note. It offers huge career prospects for talented professionals to be skilled software testers. software testing course in Chennai | Software Testing Training in Chennai | Software testing course in Chennai

  3. Thanks for sharing a valuable article, please keep sharing such more articles.
    Best Selenium training in Chennai
    Selenium training in Chennai

  4. Are you looking for best website to download eBook torrents for free? Then EbookShare will be the right place. kovalanj

  5. This is a comprehensive post. I recommend this topic.This site has lots of interest concepts.I found several important things from this site. It supports me in many ways.Thanks for supporting this again.
    Hadoop Training in Chennai | Selenium Training in Chennai | Software Testing Training in Chennai | Java Training in Chennai

  6. The infinity of software testing is on the accurate note. It contributes huge career forecasts for talented specialists to be skilled software testers.Thanks for the very gradually information.
    Selenium Training in Chennai | Selenium Training Institute in Chennai

  7. Nice article, interesting to read , keep more post seo training

  8. I simply wanted to write down a quick word to say thanks to you for those wonderful tips and hints you are showing on this site.
    Best Hadoop Training Institute In chennai

  9. This blog will help to get more ideas. This is very helpful for Software Testing learners. Thank you for sharing this wonderful site.
    Software Testing Training in Chennai | Software Training Institutes in Chennai | Software Testing Courses in Chennai | Testing Courses in Chennai

  10. This article provides the information about Java its key features and scope for java professionals. This information is really helpful me to know more about Java programming language.
    bsc projects in chennai | eee projects in chennai

  11. It's interesting that many of the bloggers to helped clarify a few things for me as well as giving.Most of ideas can be nice content.The people to give them a good shake to get your point and across the command.
    advanced java training in chennai | struts training in chennai.


  12. Awesome Post!

    Thanks for sharing very useful can refer best Robotics training in chennai | Silver light training in chennai.

  13. I believe there are many more pleasurable opportunities ahead for individuals that looked at your site.

    python training in Chennai

  14. Thank you for posting this beneficial content material. You provided another one great article in msc project centers in chennai. I hope this information may change my business carrier.I can remember these things whenever taking the decision in realtime mini projects in chennai.

  15. Yiioverflow presenting one of the best and high performance PHP framework. Fast, secure and extremely professionals are developing applications. We guide to implement mobile app development and SOA hybrid applications.Code in Nodejs, Angular,Ionic,ReactJS and Yiiframework.

  16. This was an nice and amazing and the given contents were very useful and the precision has given here is good.
    Digital Marketing Training in Chennai

  17. very informative article.hope you will keep your sharing
    Python Training in Chennai

  18. PhD Thesis Writing Services

    Dissertation Writing Services

    Research paper Writing Service

    Master Thesis Writing Service

    thesis writing service

  19. This is really an awesome one thanks to the author for a wonderful sharing.
    AWS Training Course in chennai

  20. The blog or and best that is extremely useful to keep I can share the ideas of the future as this is really what I was looking for, I am very comfortable and pleased to come here. Thank you very much.

    Digital Marketing Course in Chennai
    Digital Marketing Training in Chennai
    Online Digital Marketing Training
    SEO Training in Chennai
    Digital Marketing Course
    Digital Marketing Training
    Digital Marketing Courses

  21. I wish to show thanks to you just for bailing me out of this particular trouble.As a result of checking through the net and meeting techniques that were not productive, I thought my life was done.

    python training in pune


  22. I've been surfing on the web more than 3 hours today, yet I never found any stupefying article like yours. It's imperatively worth for me. As I would see it, if all web proprietors and bloggers made confusing substance as you did, the net will be in a general sense more profitable than at whatever point in late memory.

    Digital Marketing Training in Mumbai

    Six Sigma Training in Dubai

    Six Sigma Abu Dhabi

  23. I think this is a great site to post and I have read most of contents and I found it useful for my Career .Thanks for the useful information. For any information or Queries Comment like and share it.

    PMP Training Abu Dhabi

    GDPR Training in Hyderabad

    Digital Marketing Training in Hyderabad

    six sigma Training Pune


  24. Appreciation for really being thoughtful and also for deciding on certain marvelous guides most people really want to be aware of.

    Spark Training in Chennai
    Spark with Scala Training in Chennai

  25. Very nice post here and thanks for it .I always like and such a super contents of these post.Excellent and very cool idea and great content of different kinds of the valuable information's.
    Good discussion. Thank you.
    Six Sigma Training in Abu Dhabi
    Six Sigma Training in Dammam
    Six Sigma Training in Riyadh

  26. I have to voice my passion for your kindness giving support to those people that should have guidance on this important matter.
    nebosh course in chennai

  27. Amazing Article ! I have bookmarked this article page as i received good information from this. All the best for the upcoming articles. I will be waiting for your new articles. Thank You ! Kindly Visit Us @ Coimbatore Travels | Ooty Travels | Coimbatore Airport Taxi

  28. Great Article… I love to read your articles because your writing style is too good, its is very very helpful for all of us. Do check R Programming Course Fees & Get trained by an expert who will enrich you with the latest trends.

  29. Existing without the answers to the difficulties you’ve sorted out through this guide is a critical case, as well as the kind which could have badly affected my entire career if I had not discovered your website.
    safety course in chennai

  30. Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.

    Selenium with python Training in Electronic City

  31. Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.

    Selenium with python Training in Electronic City

  32. I am really enjoying reading your well written articles.
    It looks like you spend a lot of effort and time on your blog.
    I have bookmarked it and I am looking forward to reading new articles. Keep up the good work..
    Java Coaching Institutes in Bangalore
    Advanced Java Training Institute in Bangalore
    Best Institute For Java Course in Bangalore
    Java Training Classes in Bangalore
    big data training institutes in bangalore
    hadoop course in bangalore
    best hadoop training institutes in bangalore

  33. Great Article… I love to read your articles because your writing style is too good, its is very very helpful for all of us. Do check Cloud computing Training in Chennai | Hadoop Training in Chennai Get trained by an expert who will enrich you with the latest updates.
    Cloud computing Training
    Cloud computing Training near me
    Big Data Hadoop Training
    Hadoop training institutes in chennai

  34. Hello great information found here, Being IT person we should always in up to date. Current IT market has been looking for Automation in every platform. Why people want to make them update, I have been observing from past few days RPA is trending across the world. Update your career to RPA, Blue Prism, Automation Anywhere.

    AWS Course in Chennai
    Python Training in Chennai

  35. Look into opportunities where you may be able to pay for leads. Paying for leads is not a bad thing at all. In fact there are many companies out there that can deliver you leads at a surprisingly low cost. Just do your homework before signing up with anyone. There are scams out there.

    To understand additional about Digital Marketing Course in Chennai and online marketing training in chennai, please check out SKARTEC Digital Marketing Academy's website for the best online digital marketing courses

    best online digital marketing courses, digital marketing training in chennai, digital marketing course in chennai, digital marketing in chennai, digital marketing course, digital marketing training courses, digital marketing training institute, SKARTEC Digital Mareketing Academy, digital marketing course in chennai, SEO Training in Chennai, digital marketing course syllabus

    Create engaging content. Lead generation relies a lot on building trust with your product or service. Smart targeted content does a lot to help get you there. Your target audience will be more likely to do business with you if they feel you are providing great service and that you legitimately care.

  36. Thanks for posting useful information.You have provided an nice article, Thank you very much for this one. And i hope this will be useful for many people.. and i am waiting for your next post keep on updating these kinds of knowledgeable things...Really it was an awesome article...very interesting to read..please sharing like this information......
    PHP interview questions


  37. Thank you for taking the time to write about this much needed subject. I felt that your remarks on this technology is helpful and were especially timely.

    Right now, DevOps is currently a popular model currently organizations all over the world moving towards to it. Your post gave a clear idea about knowing the DevOps model and its importance.

    devops course fees in chennai | devops training in chennai with placement | devops training in chennai omr | best devops training in chennai quora | devops foundation certification chennai