How to Take Pictures Through a Victim's Webcam with BeEF

Sep 27, 2015 05:30 PM

Recently, I've been experimenting with BeEF (Browser Exploitation Framework), and to say the least, I'm hooked. When using BeEF, you must "hook" the victims browser. This means that you must run the script provided by BeEF, which is titled "hook.js", in the victims browser. Once you've done that, you can run commands against the victims browser and cause all kinds of mayhem. Among these commands, there is an option to use the victims webcam. This is what we'll be doing here today, so, let's get cooking!

Step 1: Start Up and Log into BeEF

If we're going to be using BeEF, we should start it first. In Kali 2.0, BeEF is conveniently located on the dock to the side of the desktop. For those of you using Kali 1.X, you can start BeEF by entering the following command...

service beef-xss start

Now that we've started BeEF, we can log into it. Let's open up our browser and navigate the BeEF login page, which is located at 127.0.0.1:3000/ui/panel. So let's navigate to that page and login!

635788486219142228.jpg

When you navigate to the login page, you will be greeted with an authentication box as seen above. The default username and password are both "beef". Now we can login to BeEF and get started!

Step 2: Set Up the Hook

In order to hook the victims browser, we must run the script "hook.js" within their browser. The way we'll be doing it today is we'll be setting up an apache web server that runs the script when connected to. So, let's start by making a simple web page by editing the index.html file.

635788490315628560.jpg

We can see in the above screenshot that the desired HTML file is located at /var/ww/html. Now let's launch into gedit and make our web page!

635788490905831064.jpg

We can see in the above HTML, we've directed the script to the BeEF script by entering the address hosted by BeEF. After we've sourced the script to BeEF, we have set the body of the web page to simply say "You have been hooked!". Now that we have our HTML for our page, let's start up apache!

The apache service can be started with the following command...

service apache2 start

Once we run this command we should be able to navigate to our address in the browser and have the hook script run on the victim.

Step 3: Hook the Victim

Now that we have our web server started and set up, we can hook any victims that connect to it. To start, let's look in BeEF to make sure we don't have any browsers that are currently hooked.

635788493711527767.jpg

As we can see it he above screenshot, the only hooked browser we have is our own. So, any victims that connect to our apache server will run the hook script within their browser and appear here! Now let's go to our victim machine and navigate to our address from their browser...

635789440870183089.jpg

We simply enter the attacker address in the address bar and connect to it. We should be greeted by a page like below.

635789441688840993.jpg

Now that we've connected to our apache server, we can go back to BeEF on the attacking machine to see if the hook worked.

635789442227789492.jpg

There we go! The victims browser is now hooked. Now that we've done this, we can run commands against their browser.

Step 4: Run the Webcam Command

There are many commands that you can run within BeEF. These commands are located under the commands tab. Once we locate the commands tab, we select the webcam option...

635789443857604727.jpg

Now in order to use the webcam, we must get the users permission first, so we might need to use a little social engineering in order to entice the user to give us permission. Once we select the webcam command we will be greeted with some options to the right.

635789445875163718.jpg

The default text is saying that we are requesting permission to use Adobe Flash Player. You can change these to say whatever you want, but we'll be leaving them as they are. Now we simply press the "execute" button to the bottom right of the page. Once we've done this we'll go to the victims machine and see the permission request.

635789447035098367.jpg

Now we're back on the victim machine, we can see that the page has changed. It now says that Adobe Flash Player needs to be allowed, and it has provided a dialogue box which gives us the options to allow or deny. We'll press allow and wait for the photos to be taken.

Step 5: Decode the Images

Now when the photos are taken, they will return back to us as a string. This means that instead of a photo, we'll get a jumbled mash of letters, numbers, and forward slashes. Once we get these strings back we'll have to decode them from base64. The first thing we need to do in order to do this is copy the text into a file.

635789449800589704.jpg

The strings that are returned to use are very long. But once you have it copied into a text file, the hard part is over.

Now that we have one of our returned strings copied into a file, we can decode it. Let's navigate to our file first (In this case I've placed it on the desktop) and run the following command...

635789451321873141.jpg

This command signifies base64, gives the "-d" switch, which means decode, and points to the file we named "base64string". It then writes the output to a file named "picture.jpg". Once we run this command we should see the image file appear on our desktop.

635789452539022749.jpg

There we have it! We were able to set up a site to hook the victim, do so, and then take pictures through the webcam the gave us access to!

Step 6: Feedback!

Leave any comments, questions, or anything of the like that you have!

Thank you for reading!

-Defalt

Comments

No Comments Exist

Be the first, drop a comment!