Presentation is loading. Please wait.

Presentation is loading. Please wait.

Browser Exploitation Framework (BeEF) Lab

Published byAdam Kelley Modified over 9 years ago

Similar presentations

Presentation on theme: "Browser Exploitation Framework (BeEF) Lab"— Presentation transcript:

1 Browser Exploitation Framework (BeEF) Lab
4/17/2017 Browser Exploitation Framework (BeEF) Lab TEAM 4 : ABDULAZIZ ALHASSAN, LAMA AL SUWAYAN, XIN PENG, SHISHUANG SHU AND YUYAN ZHANG

2 Outline Introduction to BeEF Basic Concepts Lab Setup Lab Scenarios
4/17/2017 Introduction to BeEF Basic Concepts Lab Setup Lab Scenarios

3 Introduction What is BeEF? Why BeEF? What to do with BeEF?
Browser Exploitation Framework. Penetration testing tool Focuses on the web browser Why BeEF? Without the appropriate security patches applied, web browsers are vulnerable to attack or exploit. Hackers add scripts that do not change the website’s appearance, but this redirect to another web site may cause malicious programs to be downloaded to your computer. Allow remote control of your computer by the attacker. What to do with BeEF? Learn BeEF different components Use command modules in different scenarios Integrate the framework with other tools Lab generation BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

4 Basic Concepts Cross Site Scripting (XSS)
Enables attackers to inject client-side script into Web pages viewed by other users. Uses known vulnerabilities in web-based applications, their servers, or plug-in systems on which they rely. By injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user.

5 Lab Setup 4/17/2017 Tools Used: Kali Linux BeEF Metasploit

6 Lab Setup Kali Linux BeEF can be installed on Windows, Linux, Mac OS
Why Kali ? Designed for digital forensics and penetration testing. Preinstalled with numerous penetration-testing programs. BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

7 Lab Setup BeEF Architecture of BeEF The Communication Server (CS)
- This the component that communicates via HTTP with the hooked browsers. BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

8 Lab Setup - BeEF User Interface -Command line interface

9 Lab Setup - BeEF User Interface -Graphical User Interface

10 Lab Setup – BeEF Modules
The official page lists 128 modules (exploits) Modular framework Choose modules for different scenarios - Networking Social Engineering Modules consists of config file Config.yaml, class file Module.rb, javascript file Command.js

11 Lab Setup Metasploit Developing and executing exploit code against a remote target machine. Import vulnerability scan data Compare the identified vulnerabilities to existing exploit modules for accurate exploitation. Contain wide variety of payloads not limited to a specific exploit. We should enable the integration of Metasploit with BeEF.

12 Lab Scenarios Hook! Generating Payloads Using Metasploit
Delivering Payloads to Victim Using Social Engineering Executing the Payloads

13 (Include JavaScript hook.js in other pages)
Demo (Include JavaScript hook.js in other pages)

14 Hook! - Reconnaissance Getting Victim's IP

15 Hook! - Reconnaissance What browser are they using? What browser plugins/ add-ons/ extensions are installed on their browser?

16 Hook! - Reconnaissance What operating system are they using?

17 Generating the Payload Using Metasploit
Demo (Generate payloads using Metasploit)

18 Delivering Payload to Victim
Demo (Firefox Add-on - Fake Flash Update)

19 (Shellshock using BeEF)
Shellshock Scenario Demo (Shellshock using BeEF)

20 Final Remarks Video Guide Learning Tool Happy Hacking !
BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

21 Q & A

22 References Alcorn, W., Frichot, C., The Browser Hacker’s Handbook. 2014 Anley, C., Heasman, J., Linder, F., Richarte, G., The Shellcoder’s Handbook Weidman, G., Penetraton Testing: A Hand-On Introduction to Hacking BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

Download ppt "Browser Exploitation Framework (BeEF) Lab"

Similar presentations

Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Presenter: Robbie Corley Organization: KCTCS

Presenter: Robbie Corley Organization: KCTCS
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Objective 107.02 Understand web-based digital media production methods, software, and hardware. Course Weight : 10%

Objective Understand web-based digital media production methods, software, and hardware. Course Weight : 10%
Offensive Security Part 1 Basics of Penetration Testing

Offensive Security Part 1 Basics of Penetration Testing
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.

A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
Penetration Testing Presented by: Elham Hojati Advisor: Dr. Akbar Namin July 2014.

Penetration Testing Presented by: Elham Hojati Advisor: Dr. Akbar Namin July 2014.
ACTIVE X By Ethan Huang. OUTLINE What is ActiveX? Component of ActiveX Why ActiveX? ActiveX and Java Security Issue.

ACTIVE X By Ethan Huang. OUTLINE What is ActiveX? Component of ActiveX Why ActiveX? ActiveX and Java Security Issue.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.

Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Module 1: Installing Internet Information Services 5.0.

Module 1: Installing Internet Information Services 5.0.
INTRODUCTION TO WEB DATABASE PROGRAMMING

INTRODUCTION TO WEB DATABASE PROGRAMMING
Introduction to InfoSec – Recitation 15 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 15 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Similar presentations

Ads by Google