Embed Size (px)
Citation preview
Browser Exploitation Framework (BeEF)
Lab
TEAM 4 : ABDULAZIZ ALHASSAN, LAMA AL SUWAYAN, XIN PENG, SHISHUANG SHU AND YUYAN ZHANG
OutlineOutline
2
Introduction to BeEF
Basic Concepts
Lab Setup
Lab Scenarios
Introduction
3
What is BeEF?Browser Exploitation Framework.Penetration testing tool Focuses on the web browser
• Why BeEF? Without the appropriate security patches applied, web browsers are vulnerable
to attack or exploit. Hackers add scripts that do not change the website’s appearance, but this
redirect to another web site may cause malicious programs to be downloaded to your computer.
Allow remote control of your computer by the attacker.
• What to do with BeEF? Learn BeEF different componentsUse command modules in different scenariosIntegrate the framework with other toolsLab generation
Basic Concepts
4
• Cross Site Scripting (XSS)
Enables attackers to inject client-side script into Web pages viewed by other users.
Uses known vulnerabilities in web-based applications, their servers, or plug-in systems on which they rely.
By injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user.
Lab SetupLab Setup
5
Tools Used:
Kali Linux
BeEF
Metasploit
Lab SetupLab Setup
6
• Kali LinuxBeEF can be installed on Windows, Linux, Mac OSWhy Kali ?
Designed for digital forensics and penetration testing.
Preinstalled with numerous penetration-testing programs.
Lab Setup
7
• BeEFArchitecture of BeEF
• The Communication Server (CS)- This the component that communicates via HTTP with the
hooked browsers.
Lab Setup - BeEF
8
• User InterfaceUser Interface--Command line interfaceCommand line interface
Lab Setup - BeEFLab Setup - BeEF
9
• User InterfaceUser Interface -Graphical User Interface-Graphical User Interface
Lab Setup – BeEF
10
Modules The official page lists 128 modules (exploits)Modular framework
Choose modules for different scenarios- Networking- Social Engineering
Modules consists of config file Config.yaml, class file Module.rb, javascript file Command.js
Lab Setup
11
• MetasploitDeveloping and executing exploit code against a remote target machine.
Import vulnerability scan dataCompare the identified vulnerabilities to existing exploit modules for accurate exploitation.
Contain wide variety of payloads not limited to a specific exploit.
We should enable the integration of Metasploit with BeEF.
Lab ScenariosLab Scenarios
12
Hook!
Generating Payloads Using Metasploit
Delivering Payloads to Victim Using
Social Engineering
Executing the Payloads
Hook!Hook!
13
Demo (Include JavaScript
hook.js in other pages)
Hook! - Hook! - Reconnaissance
14
Getting Victim's IP
15
What browser are they using? What browser plugins/ add-ons/ extensions are installed on their browser?
Hook! - Hook! - Reconnaissance
16
What operating system are they using?
Hook! - Hook! - Reconnaissance
Generating the Payload Using Generating the Payload Using MetasploitMetasploit
17
Demo (Generate
payloads using Metasploit)
Delivering Payload to VictimDelivering Payload to Victim
18
Demo (Firefox Add-on -
Fake Flash Update)
Shellshock Scenario
19
Demo (Shellshock using BeEF)
Final Remarks
20
Video Guide
Learning Tool
Happy Hacking !
Q & A
21
References
22
Alcorn, W., Frichot, C., The Browser Hacker’s Handbook. 2014
Anley, C., Heasman, J., Linder, F., Richarte, G., The Shellcoder’s Handbook. 2007.
Weidman, G., Penetraton Testing: A Hand-On Introduction to Hacking. 2014.
https://github.com/beefproject/beef/wiki
http://www.advancedpentest.com/help-install-kali-linux
http://www.offensive-security.com/metasploit-unleashed
