Establishing A Shell Through the Victim's Browser

Scenario

In this lab you will be able to practice the attack vector development techniques explained in the Penetration Testing eXtreme course.

During the lab, you will perform a remote social engineering attack against a target. The attack's requirements are the following.

The target should visit an attacker-controlled webpage with BeEF running underneath The target will be prompted to download and run a malicious reverse shell payload that will connect back to the attacker's listener.

Our attack's requirements are as follows.

1. The target's browser needs to be hooked using BeEF

2. The victim will be redirected to download the attack's stage payload

3. The commands and modules to be executed will be sent and received using BeEF

Don't panic, we will automate most of the attack's steps and put everything in a single attack vector.

Note: For optimum results, we will perform the attack against a Firefox browser. The attack works on all browsers but it is optimized for Firefox.

It should be noted here, that other ways exist to achieve similar functionality, like the beaconing malware that we covered in the Advanced Social Engineering module.

Goals

Develop a custom social engineering attack to establish a stealthy shell through the target's browser.

Develop a custom AutoIt script and executable to automate most of the attack's lifecycle.

The shell should be difficult to detect, everything should look like normal browsing traffic.

What you will learn

During the lab, you will learn how various techniques can be combined to compromise a target, during a social engineering attack. You will also learn how to evade modern defenses (A/V, HIDS, NIDS etc.), by writing custom code and misusing legitimate browser and .NET functionality. Finally, you will get familiar with the capabilities offered by AutoIt.

To guide you during the lab you will find different tasks.

Tasks are meant for educational purposes and to show you the usage of different tools and different methods to achieve the same goal.

They are not meant to be used as a methodology.

Armed with the skills acquired though the task you can achieve the lab goal.

If this is the first time you do this lab, we advise you to follow these tasks.

Once you have completed all the tasks, you can proceed to the end of this paper and check the solutions

Recommended tools

• BeEF

• AutoIt

Note: This lab provides you with an Attacker Machine running Kali and a Target Machine running Windows. Both systems have been pre-configured with all the pre-requisite software required to facilitate the attack.

Tasks

Task 1: Setup the social engineering site with BeEF

The first step of this lab is to setup the social engineering site that we will be using to hook the victim browser.

To begin with, we will need to start up the BeEF-XSS framework, this can be done by opening up the Application Drawer on Kali and navigating to the exploitation tools section as shown in the following screenshot.

After starting the BeEF Framework, it will launch a terminal window that will provide you with diagnostic information on the state of the framework.

Also displayed, will be the Hook URL which we will need to embed it in to our malicious social engineering website.

You can access BeEF's web dashboard by navigating to: http://127.0.0.1:3000/ui/panel

The default credentials for the framework are: beef/password.

After logging in, you will be presented with the default dashboard with a panel to the left displaying a list of hooked browsers and their state.

Now that we have BeEF up and running, we can move on to the next step which will involve creating the social engineering site that will hook victim browsers.

This step is where you can get creative with regards to how legitimate you want the site to look. During Red Team engagements, you will need to use every tool at your disposal including custom domains, copying websites etc.

For the purpose of demonstrating this attack, we will create a simple HTML site that will be hosted on the Attacker Machine via the Apache2 web server.

First things first, remove any files contained within the /var/www/html directory.

We can now create our site, in this case, we will create an index file:

Make sure to copy the Hook URL for the interface eth1 from the BeEF terminal window. In your case the IP address of the Kali Linux system will be different so keep that in mind.

Since the Hook URL points towards a JavaScript file, we can embed the URL to load and run the JS file when the webpage is accessed.

As shown in the preceding screenshot, the webpage is fairly simple and prompts the user to update their browser to access the website. This will make sense as we progress. What is important to note is that I have embedded the Hook URL in the head section of the HTML file.

After saving the HTML site, you will need to start the Apache2 web server service, this can be done by running the following command:

As shown in the following screenshot, our social engineering website should now be hosted on the IP address of the Kali Linux system on port 80.

We now have our website ready and can move on to the next step of our campaign.

Task 2: Automate the attack and put everything in a single attack vector

To automate the majority of the attack's requirements, you can leverage AutoIt. AutoIt is a freeware BASIC-like scripting language designed for automating the Windows GUI and general scripting.

Our attack vector will begin from a simple Windows executable generated with AutoIt that is non-malicious. We will use the executable to connect to the social engineering website and hook the victims browser. Once the victim's browser is hooked, we will leverage the pop-up functionality afforded to us by BeEF to prompt the user to download and execute a Metasploit payload that will provide us with a reverse shell.

We will be using the Target Machine running Windows to perform our resource development. In real engagement, resource development will have to be done on your own system.

NOTE: AutoiIt and the skeleton script are already available on the Desktop of the Target Machine.

Here is the skeleton script we will be using. Ensure you insert the IP address of the Kali Linux system where KALI-IP is specified.

This is what your AutoIt script should look like:

The AutoIt script above performs the following:

1. Targets Firefox Developer Edition. On $path you should enter the Firefox's path.

2. Uses the 32bit version of PowerShell ($path1).

3. Spawns a Firefox browser and loads a web page using ShellExecute. Once Firefox is spawned, it is hidden in the background via the WinWait and WinSetState commands. Actually, those two commands instruct the target's computer that "whenever a window comes up with the title "Firefox Developer Edition" (the default title of Firefox Developer Edition), put it in the background and keep it running".

You can find the source code on the following link. https://gist.github.com/anonymous/09f10cdb5d9b0bae4755850273083fd2

Finally, right click on it and select "Compile Script (x86)". After compiling the script, you will be presented with a Windows executable. This is the executable that will initiate our attack flow and can be sent to victims via social engineering campaigns.

Task 3: Preparing our initial access payload

Before we begin our attack, we will need to generate our MSF payload that we prompt the victim to download when they visit the site.

Feel free to utilize any other Framework or stager and obfuscation techniques to evade AV detection.

In this case, we will generate a simple MSF payload:

Once the payload is generated, we will need to host it on our Apache2 web server. In order to do this, we can copy the payload executable to the /var/www/html directory:

Task 4: Launching the attack

We can now initiate our attack. In this case, we will begin from the point at which the victim has downloaded the AutoIt executable.

We can simulate the victim's activity by switching over to the Target Machine running Windows and executing the AutoIt executable we compiled.

Upon successful execution of the executable, the victim's system will launch a browser window. In this case Firefox Developer Edition and navigate to the URL of the social engineering website we setup.

Switching back the BeEF web dashboard reveals that the victim's browser has been hooked.

We can now move to on to the final phase of the attack, prompting a pop window on the victim's browser directing them to download our reverse shell payload.

This can be done by clicking on the hooked browser and navigating to the Social Engineering modules as shown.

We will utilize the Fake Notification Bar module to prompt the victim's browser with a notification to download the payload.

For the Module Options we will need to set the Plugin URL to the URL/address where we are hosting the payload. You can also customize the notification text to entice the victim to download the payload.

Executing the module will trigger a notification bar on the victim's browser.

Installing the plugin will automatically download the payload executable. Once the victim launches the payload executable. We will be provided with a reverse shell.

Congrats! You established a stealthy shell through your target's browser!