How To: Take Pictures Through a Victim's Webcam with BeEF

Take Pictures Through a Victim's Webcam with BeEF

Recently, I've been experimenting with BeEF (Browser Exploitation Framework), and to say the least, I'm hooked. When using BeEF, you must "hook" the victims browser. This means that you must run the script provided by BeEF, which is titled "hook.js", in the victims browser. Once you've done that, you can run commands against the victims browser and cause all kinds of mayhem. Among these commands, there is an option to use the victims webcam. This is what we'll be doing here today, so, let's get cooking!

Step 1: Start Up and Log into BeEF

If we're going to be using BeEF, we should start it first. In Kali 2.0, BeEF is conveniently located on the dock to the side of the desktop. For those of you using Kali 1.X, you can start BeEF by entering the following command...

service beef-xss start

Now that we've started BeEF, we can log into it. Let's open up our browser and navigate the BeEF login page, which is located at 127.0.0.1:3000/ui/panel. So let's navigate to that page and login!

When you navigate to the login page, you will be greeted with an authentication box as seen above. The default username and password are both "beef". Now we can login to BeEF and get started!

Step 2: Set Up the Hook

In order to hook the victims browser, we must run the script "hook.js" within their browser. The way we'll be doing it today is we'll be setting up an apache web server that runs the script when connected to. So, let's start by making a simple web page by editing the index.html file.

We can see in the above screenshot that the desired HTML file is located at /var/ww/html. Now let's launch into gedit and make our web page!

We can see in the above HTML, we've directed the script to the BeEF script by entering the address hosted by BeEF. After we've sourced the script to BeEF, we have set the body of the web page to simply say "You have been hooked!". Now that we have our HTML for our page, let's start up apache!

The apache service can be started with the following command...

service apache2 start

Once we run this command we should be able to navigate to our address in the browser and have the hook script run on the victim.

Step 3: Hook the Victim

Now that we have our web server started and set up, we can hook any victims that connect to it. To start, let's look in BeEF to make sure we don't have any browsers that are currently hooked.

As we can see it he above screenshot, the only hooked browser we have is our own. So, any victims that connect to our apache server will run the hook script within their browser and appear here! Now let's go to our victim machine and navigate to our address from their browser...

We simply enter the attacker address in the address bar and connect to it. We should be greeted by a page like below.

Now that we've connected to our apache server, we can go back to BeEF on the attacking machine to see if the hook worked.

There we go! The victims browser is now hooked. Now that we've done this, we can run commands against their browser.

Step 4: Run the Webcam Command

There are many commands that you can run within BeEF. These commands are located under the commands tab. Once we locate the commands tab, we select the webcam option...

Now in order to use the webcam, we must get the users permission first, so we might need to use a little social engineering in order to entice the user to give us permission. Once we select the webcam command we will be greeted with some options to the right.

The default text is saying that we are requesting permission to use Adobe Flash Player. You can change these to say whatever you want, but we'll be leaving them as they are. Now we simply press the "execute" button to the bottom right of the page. Once we've done this we'll go to the victims machine and see the permission request.

Now we're back on the victim machine, we can see that the page has changed. It now says that Adobe Flash Player needs to be allowed, and it has provided a dialogue box which gives us the options to allow or deny. We'll press allow and wait for the photos to be taken.

Step 5: Decode the Images

Now when the photos are taken, they will return back to us as a string. This means that instead of a photo, we'll get a jumbled mash of letters, numbers, and forward slashes. Once we get these strings back we'll have to decode them from base64. The first thing we need to do in order to do this is copy the text into a file.

The strings that are returned to use are very long. But once you have it copied into a text file, the hard part is over.

Now that we have one of our returned strings copied into a file, we can decode it. Let's navigate to our file first (In this case I've placed it on the desktop) and run the following command...

This command signifies base64, gives the "-d" switch, which means decode, and points to the file we named "base64string". It then writes the output to a file named "picture.jpg". Once we run this command we should see the image file appear on our desktop.

There we have it! We were able to set up a site to hook the victim, do so, and then take pictures through the webcam the gave us access to!

Step 6: Feedback!

Leave any comments, questions, or anything of the like that you have!

Thank you for reading!

-Defalt

11 Comments

Good article, thanks.

BeEF is seriously underrated in my opinion.

Good job.

-Phoenix750

Its underrated because for it to be effective you have either to be on the same network of the target and inject it in every website using mitmf or else it will only work if they visist the website, but when they go off the website you lose them

Hello !
Im using Kali 2.0
When i open Beef-xss && run the mitmf command
mitmf --spoof --arp -i ** --gateway ** ...
and then when i go the taregt brower and go to any website !
the mitmf terminal don't show something for me !
it doesn't work for me why ?
Here"s a pic for that
http://postimg.org/image/fhnt0orvp/

This tutorial doesn't use mitmf, but from what you've provided it seems that you're ARP spoofing, so there would be no output as there is nothing to output. Would you kindly tell why you're using mitmf, more information would be needed to answer any deeper.

-Defalt

You need to provide us the full command, and i think you didnt give mitmf a target

I sow this tutorial :

And i'm using MITMF to inject the target with the Hook URL !
I don't wrote the hole command cuz it's long but i gave it the target ip address !
Okay !
Now i'm trying to use the Hook Url whitch is :
http://ip:3000/hook.js && when i enter it in the target browser
it show me a lot of lines ! whitch meens there is no java script running !
Soory about my english poeple !
Here's a pic about that :
http://postimg.org/image/g0zxhjjgl/

Ok, so accessing the URL like that is reading the script, not executing it. The script needs to be sourced in the HTML.

-Defalt

I will try to include it into a HTML source !

Yes i did that exactly ! But nothing happened Just like the pic that i showed to you :
http://postimg.org/image/fhnt0orvp/
I think i have a big problem with beef in my system !
I will reinstall the system with a 64bits copy !
And i will try !
Thanks anyway !

Share Your Thoughts

  • Hot
  • Latest