a brief look at beef

even though i’ve been using a kali for a while, i’d not gotten around to playing with beef (browser exploitation framework) because it simply didn’t work out of the box, and i had other stuff to do.  but i got around to it

first thing was to install a fresh copy:

# install and run beef
git clone git://github.com/beefproject/beef.git
cd beef
bundle install
./beef -x

beef works by injecting control scripts into a browser, either by the victim visiting a malicious page, or being XSS-ed on a legit domain into biting on the ‘hook’

the browser stays hooked while on the same page, or on the same domain if you upgrade the hook.  control over the browser stops when the victim leaves the page/domain.  i’m not yet clear whether the hook persists and reactivates automatically when they revisit the same page/domain, or whether one would have to rehook them (with the same XSS, for example)

the hook in the victim’s browser polls the C&C server, getting new commands and sending responses to executed ones

some interesting ‘read only’ attacks i successfully carried out while the browser was hooked:

  • mine all the links on the victim’s loaded page
  • get cookies, localstorage content
  • get unsubmitted form field values, including autocompleted entries
    • my FF on kali had autofilled the page with credentials from another webapp, which beef promptly retrieved, which means i will shortly be turning autocompletion off on all my browsers
  • render the victim’s browser window content to the attacker, or show the html

some of the more aggressive attacks that worked were:

  • playing a sound
  • clickjacking with an invisible div that follows the cursor
  • rewriting or clickjacking hrefs on the page to go where one wants
  • redirecting the tab location
  • using the victim’s browser to issue web requests, and examining the responses (of course it sends the victim’s cookies along with the request)
  • some social engineering attacks of varying persuasiveness, but were all great as POCs
    • ‘clippy’ appearing in the bottom right of the screen saying the victim should upgrade by installing sofware
    • a facebook popup asking to re-enter credentials (probably a lot of people would fall for that if they were hooked on that domain)
    • redirect to an amazon look-alike page for entering credit card details

stuff that didn’t work so well:

  • get system info
    • => although this was a ‘green’ command, meaning it should be invisible to the victim, my browser showed me no less than 3 java applet warnings before it successfully executed. i doubt even my 90 year old gran would have clicked ‘OK’
  • get visited url(s) via timing attack
    • => made the hooked tab go batshit crazy
  • social engineering attacks that prompt the user to install a browser extension
    • => although the notification to install looked 80% legit, for FF at least, the world has moved on.  FF will now only install signed (by Mozilla) extensions after they have performed a security review. great stuff mozilla!

other stuff i didn’t try, or couldn’t get working:

  • using the victim’s browser to perpetrate exploits on various bits of hardware and software that i don’t possess
  • even though as victim i was perusing a page with forms on it, i couldn’t get xssrays to give me any output at all; i’ve no idea yet whether it’s broken or there just weren’t any xss on that page
  • i didn’t get into the ‘beef bind interactive shell’.  or, more accurately, i played around with it very briefly and it wasn’t intuitive enough that i got anything useful out of it.  some other time!

of course i was familiar with xss before, and had exploited browsers with it to gain shells via buffer overflow, but it’s quite remarkable what other stuff an attacker can do with your browser without your knowledge and consent after you get hit with one, and without any such critical browser vulnerability as a buffer overflow needing to be present

Leave a Reply

Your email address will not be published. Required fields are marked *