Stealing Login Credentials using BeEF and Cross Site Scripting (XSS)
For the past few weeks, I have focused exclusively on cross site scripting (XSS) attacks. This week is no different. The past posts were meant to demonstrate these types of attacks from a high level. This week, I will show how these attacks can be used more maliciously.
The tools used to conduct the tests this week are similar to the tools used in the past. For starters, Kali Linux (https://www.kali.org/downloads/) was used and as always, was installed on a virtual machine using VirtualBox (https://www.virtualbox.org/wiki/Downloads). I also used Metasploitable 2 (https://information.rapid7.com/metasploitable-download.html) and a virtual instance of Windows 10. To get a copy of Windows 10 to use for testing purposes, simply visit https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/. Finally, I also used the Browser Exploitation Framework (BeEF) which can be downloaded as a standalone program from https://github.com/beefproject/beef or can be used via Kali Linux as it comes pre-loaded.
First a little bit about BeEF. According to the Browser Exploitation Framework (BeEF) website, BeEF "allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context" (http://beefproject.com/).
First, click on the BeEF icon on the left hand side (highlighted in yellow). A terminal window opens and starts the BeEF program (see below)
Next, login to the BeEF UI by visiting http://127.0.0.1:3000/ui/authentication URL. The username is beef and the password is beef.
Once logged in, open a browser in the Kali machine and navigate to the DVWA machine within Metasploitable. Be sure to set the security settings to low.
To make this attack work, an attacker would simply copy the entire URL (including the injected script) and send to a target. For better success, an attacker could use a URL shortening service.
Stored XSS attacks are much more dangerous, as we demonstrated in previous posts. To execute a successful XSS using BeEF, I navigated to the stored XSS tab on DVWA. Once there, I simply injected the malicious payload into the message box and clicked Sign Guestbook. This will save the entry in the guest book and the script will be executed every time a target visits this specific page.
To test the success, I opened my Windows 10 virtual instance and navigated to the DVWA Stored XSS page. (As you can see from the top, this is a Windows 10 machine running inside a virtual environment).
Once a machine is hooked with BeEF, I can now start executing commands. Additionally, this now gives me control over the browser. BeEF supports a number of malicious things an attacker can do once they have hooked a browser. For example, I can activate a webcam, take a screenshot of the target machine, install a keylogger, and so much more. For simplicity, I only executed two malicious acts simply for demonstration purposes to show the versatility of this tool.
For the first attack, I simply redirected the target to the URL of my choice. I simply redirected them the Amazon. The left image is the Windows 10 target machine, currently still on DVWA page. The right screen shows the BeEF UI with the redirect command, routing the target to Amazon.
Once I clicked execute, the target machine was sent to Amazon. It is interesting to note that the URL on the target machine did not chance when redirected.
One way to avoid this type of attack is to ensure you are only logging in directly on trusted sites. In this case, it would be highly recommended to visit Facebook directly to reauthenticate, however, if a keylogger was able to be successfully installed on the target machine, it would not stop an attacker from gathering your login credentials.
I will continue to explore more in the next few posts.
The tools used to conduct the tests this week are similar to the tools used in the past. For starters, Kali Linux (https://www.kali.org/downloads/) was used and as always, was installed on a virtual machine using VirtualBox (https://www.virtualbox.org/wiki/Downloads). I also used Metasploitable 2 (https://information.rapid7.com/metasploitable-download.html) and a virtual instance of Windows 10. To get a copy of Windows 10 to use for testing purposes, simply visit https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/. Finally, I also used the Browser Exploitation Framework (BeEF) which can be downloaded as a standalone program from https://github.com/beefproject/beef or can be used via Kali Linux as it comes pre-loaded.
First a little bit about BeEF. According to the Browser Exploitation Framework (BeEF) website, BeEF "allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context" (http://beefproject.com/).
First, click on the BeEF icon on the left hand side (highlighted in yellow). A terminal window opens and starts the BeEF program (see below)
Next, login to the BeEF UI by visiting http://127.0.0.1:3000/ui/authentication URL. The username is beef and the password is beef.
Once logged in, open a browser in the Kali machine and navigate to the DVWA machine within Metasploitable. Be sure to set the security settings to low.
Next, I used the script provided in the terminal when initializing BeEF and set the IP address to my attacker IP machine.
From here, I simply navigated to the reflected XSS page in DVWA and appended this script to the URL and sent the request.
Once the request was sent, the script was executed. To verify, simply go back to the BeEF UI and under the Hooked Browser section on the far left, you will see that the browser has been successfully hooked.
Stored XSS attacks are much more dangerous, as we demonstrated in previous posts. To execute a successful XSS using BeEF, I navigated to the stored XSS tab on DVWA. Once there, I simply injected the malicious payload into the message box and clicked Sign Guestbook. This will save the entry in the guest book and the script will be executed every time a target visits this specific page.
Navigating back to the BeEF UI in my Kali instance, you can now see that this machine is now hooked with BeEF too.
For the first attack, I simply redirected the target to the URL of my choice. I simply redirected them the Amazon. The left image is the Windows 10 target machine, currently still on DVWA page. The right screen shows the BeEF UI with the redirect command, routing the target to Amazon.
Once I clicked execute, the target machine was sent to Amazon. It is interesting to note that the URL on the target machine did not chance when redirected.
The next test I conducted was more malicious in that it allowed me to steal login credentials. Using one of the commands supplied in BeEF, I simply sent a message to the target browser saying that their Facebook session had expired and they need to log back in. Once the credentials were entered, the captured authentication data was returned to the attacker machine.
I will continue to explore more in the next few posts.
Comments
Post a Comment