Presentation is loading. Please wait.

Presentation is loading. Please wait.

Browser Exploitation Framework (BeEF) Lab

Similar presentations


Presentation on theme: "Browser Exploitation Framework (BeEF) Lab"— Presentation transcript:

1 Browser Exploitation Framework (BeEF) Lab
4/17/2017 Browser Exploitation Framework (BeEF) Lab TEAM 4 : ABDULAZIZ ALHASSAN, LAMA AL SUWAYAN, XIN PENG, SHISHUANG SHU AND YUYAN ZHANG

2 Outline Introduction to BeEF Basic Concepts Lab Setup Lab Scenarios
4/17/2017 Introduction to BeEF Basic Concepts Lab Setup Lab Scenarios

3 Introduction What is BeEF? Why BeEF? What to do with BeEF?
Browser Exploitation Framework. Penetration testing tool Focuses on the web browser Why BeEF? Without the appropriate security patches applied, web browsers are vulnerable to attack or exploit. Hackers add scripts that do not change the website’s appearance, but this redirect to another web site may cause malicious programs to be downloaded to your computer. Allow remote control of your computer by the attacker. What to do with BeEF? Learn BeEF different components Use command modules in different scenarios Integrate the framework with other tools Lab generation BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

4 Basic Concepts Cross Site Scripting (XSS)
Enables attackers to inject client-side script into Web pages viewed by other users. Uses known vulnerabilities in web-based applications, their servers, or plug-in systems on which they rely. By injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user.

5 Lab Setup 4/17/2017 Tools Used: Kali Linux BeEF Metasploit

6 Lab Setup Kali Linux BeEF can be installed on Windows, Linux, Mac OS
Why Kali ? Designed for digital forensics and penetration testing. Preinstalled with numerous penetration-testing programs. BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

7 Lab Setup BeEF Architecture of BeEF The Communication Server (CS)
- This the component that communicates via HTTP with the hooked browsers. BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

8 Lab Setup - BeEF User Interface -Command line interface

9 Lab Setup - BeEF User Interface -Graphical User Interface

10 Lab Setup – BeEF Modules
The official page lists 128 modules (exploits) Modular framework Choose modules for different scenarios - Networking Social Engineering Modules consists of config file Config.yaml, class file Module.rb, javascript file Command.js

11 Lab Setup Metasploit Developing and executing exploit code against a remote target machine. Import vulnerability scan data Compare the identified vulnerabilities to existing exploit modules for accurate exploitation. Contain wide variety of payloads not limited to a specific exploit. We should enable the integration of Metasploit with BeEF.

12 Lab Scenarios Hook! Generating Payloads Using Metasploit
Delivering Payloads to Victim Using Social Engineering Executing the Payloads

13 (Include JavaScript hook.js in other pages)
Demo (Include JavaScript hook.js in other pages)

14 Hook! - Reconnaissance Getting Victim's IP

15 Hook! - Reconnaissance What browser are they using? What browser plugins/ add-ons/ extensions are installed on their browser?

16 Hook! - Reconnaissance What operating system are they using?

17 Generating the Payload Using Metasploit
Demo (Generate payloads using Metasploit)

18 Delivering Payload to Victim
Demo (Firefox Add-on - Fake Flash Update)

19 (Shellshock using BeEF)
Shellshock Scenario Demo (Shellshock using BeEF)

20 Final Remarks Video Guide Learning Tool Happy Hacking !
BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

21 Q & A

22 References Alcorn, W., Frichot, C., The Browser Hacker’s Handbook. 2014 Anley, C., Heasman, J., Linder, F., Richarte, G., The Shellcoder’s Handbook Weidman, G., Penetraton Testing: A Hand-On Introduction to Hacking BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.


Download ppt "Browser Exploitation Framework (BeEF) Lab"

Similar presentations


Ads by Google