browser exploitation framework (beef) lab team 4 : abdulaziz alhassan, lama al suwayan, xin peng,...
TRANSCRIPT
![Page 1: Browser Exploitation Framework (BeEF) Lab TEAM 4 : ABDULAZIZ ALHASSAN, LAMA AL SUWAYAN, XIN PENG, SHISHUANG SHU AND YUYAN ZHANG](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d745503460f94a53893/html5/thumbnails/1.jpg)
Browser Exploitation Framework (BeEF)
Lab
TEAM 4 : ABDULAZIZ ALHASSAN, LAMA AL SUWAYAN, XIN PENG, SHISHUANG SHU AND YUYAN ZHANG
![Page 2: Browser Exploitation Framework (BeEF) Lab TEAM 4 : ABDULAZIZ ALHASSAN, LAMA AL SUWAYAN, XIN PENG, SHISHUANG SHU AND YUYAN ZHANG](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d745503460f94a53893/html5/thumbnails/2.jpg)
OutlineOutline
2
Introduction to BeEF
Basic Concepts
Lab Setup
Lab Scenarios
![Page 3: Browser Exploitation Framework (BeEF) Lab TEAM 4 : ABDULAZIZ ALHASSAN, LAMA AL SUWAYAN, XIN PENG, SHISHUANG SHU AND YUYAN ZHANG](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d745503460f94a53893/html5/thumbnails/3.jpg)
Introduction
3
What is BeEF?Browser Exploitation Framework.Penetration testing tool Focuses on the web browser
• Why BeEF? Without the appropriate security patches applied, web browsers are vulnerable
to attack or exploit. Hackers add scripts that do not change the website’s appearance, but this
redirect to another web site may cause malicious programs to be downloaded to your computer.
Allow remote control of your computer by the attacker.
• What to do with BeEF? Learn BeEF different componentsUse command modules in different scenariosIntegrate the framework with other toolsLab generation
![Page 4: Browser Exploitation Framework (BeEF) Lab TEAM 4 : ABDULAZIZ ALHASSAN, LAMA AL SUWAYAN, XIN PENG, SHISHUANG SHU AND YUYAN ZHANG](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d745503460f94a53893/html5/thumbnails/4.jpg)
Basic Concepts
4
• Cross Site Scripting (XSS)
Enables attackers to inject client-side script into Web pages viewed by other users.
Uses known vulnerabilities in web-based applications, their servers, or plug-in systems on which they rely.
By injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user.
![Page 5: Browser Exploitation Framework (BeEF) Lab TEAM 4 : ABDULAZIZ ALHASSAN, LAMA AL SUWAYAN, XIN PENG, SHISHUANG SHU AND YUYAN ZHANG](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d745503460f94a53893/html5/thumbnails/5.jpg)
Lab SetupLab Setup
5
Tools Used:
Kali Linux
BeEF
Metasploit
![Page 6: Browser Exploitation Framework (BeEF) Lab TEAM 4 : ABDULAZIZ ALHASSAN, LAMA AL SUWAYAN, XIN PENG, SHISHUANG SHU AND YUYAN ZHANG](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d745503460f94a53893/html5/thumbnails/6.jpg)
Lab SetupLab Setup
6
• Kali LinuxBeEF can be installed on Windows, Linux, Mac OSWhy Kali ?
Designed for digital forensics and penetration testing.
Preinstalled with numerous penetration-testing programs.
![Page 7: Browser Exploitation Framework (BeEF) Lab TEAM 4 : ABDULAZIZ ALHASSAN, LAMA AL SUWAYAN, XIN PENG, SHISHUANG SHU AND YUYAN ZHANG](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d745503460f94a53893/html5/thumbnails/7.jpg)
Lab Setup
7
• BeEFArchitecture of BeEF
• The Communication Server (CS)- This the component that communicates via HTTP with the
hooked browsers.
![Page 8: Browser Exploitation Framework (BeEF) Lab TEAM 4 : ABDULAZIZ ALHASSAN, LAMA AL SUWAYAN, XIN PENG, SHISHUANG SHU AND YUYAN ZHANG](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d745503460f94a53893/html5/thumbnails/8.jpg)
Lab Setup - BeEF
8
• User InterfaceUser Interface--Command line interfaceCommand line interface
![Page 9: Browser Exploitation Framework (BeEF) Lab TEAM 4 : ABDULAZIZ ALHASSAN, LAMA AL SUWAYAN, XIN PENG, SHISHUANG SHU AND YUYAN ZHANG](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d745503460f94a53893/html5/thumbnails/9.jpg)
Lab Setup - BeEFLab Setup - BeEF
9
• User InterfaceUser Interface -Graphical User Interface-Graphical User Interface
![Page 10: Browser Exploitation Framework (BeEF) Lab TEAM 4 : ABDULAZIZ ALHASSAN, LAMA AL SUWAYAN, XIN PENG, SHISHUANG SHU AND YUYAN ZHANG](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d745503460f94a53893/html5/thumbnails/10.jpg)
Lab Setup – BeEF
10
Modules The official page lists 128 modules (exploits)Modular framework
Choose modules for different scenarios- Networking- Social Engineering
Modules consists of config file Config.yaml, class file Module.rb, javascript file Command.js
![Page 11: Browser Exploitation Framework (BeEF) Lab TEAM 4 : ABDULAZIZ ALHASSAN, LAMA AL SUWAYAN, XIN PENG, SHISHUANG SHU AND YUYAN ZHANG](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d745503460f94a53893/html5/thumbnails/11.jpg)
Lab Setup
11
• MetasploitDeveloping and executing exploit code against a remote target machine.
Import vulnerability scan dataCompare the identified vulnerabilities to existing exploit modules for accurate exploitation.
Contain wide variety of payloads not limited to a specific exploit.
We should enable the integration of Metasploit with BeEF.
![Page 12: Browser Exploitation Framework (BeEF) Lab TEAM 4 : ABDULAZIZ ALHASSAN, LAMA AL SUWAYAN, XIN PENG, SHISHUANG SHU AND YUYAN ZHANG](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d745503460f94a53893/html5/thumbnails/12.jpg)
Lab ScenariosLab Scenarios
12
Hook!
Generating Payloads Using Metasploit
Delivering Payloads to Victim Using
Social Engineering
Executing the Payloads
![Page 13: Browser Exploitation Framework (BeEF) Lab TEAM 4 : ABDULAZIZ ALHASSAN, LAMA AL SUWAYAN, XIN PENG, SHISHUANG SHU AND YUYAN ZHANG](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d745503460f94a53893/html5/thumbnails/13.jpg)
Hook!Hook!
13
Demo (Include JavaScript
hook.js in other pages)
![Page 14: Browser Exploitation Framework (BeEF) Lab TEAM 4 : ABDULAZIZ ALHASSAN, LAMA AL SUWAYAN, XIN PENG, SHISHUANG SHU AND YUYAN ZHANG](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d745503460f94a53893/html5/thumbnails/14.jpg)
Hook! - Hook! - Reconnaissance
14
Getting Victim's IP
![Page 15: Browser Exploitation Framework (BeEF) Lab TEAM 4 : ABDULAZIZ ALHASSAN, LAMA AL SUWAYAN, XIN PENG, SHISHUANG SHU AND YUYAN ZHANG](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d745503460f94a53893/html5/thumbnails/15.jpg)
15
What browser are they using? What browser plugins/ add-ons/ extensions are installed on their browser?
Hook! - Hook! - Reconnaissance
![Page 16: Browser Exploitation Framework (BeEF) Lab TEAM 4 : ABDULAZIZ ALHASSAN, LAMA AL SUWAYAN, XIN PENG, SHISHUANG SHU AND YUYAN ZHANG](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d745503460f94a53893/html5/thumbnails/16.jpg)
16
What operating system are they using?
Hook! - Hook! - Reconnaissance
![Page 17: Browser Exploitation Framework (BeEF) Lab TEAM 4 : ABDULAZIZ ALHASSAN, LAMA AL SUWAYAN, XIN PENG, SHISHUANG SHU AND YUYAN ZHANG](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d745503460f94a53893/html5/thumbnails/17.jpg)
Generating the Payload Using Generating the Payload Using MetasploitMetasploit
17
Demo (Generate
payloads using Metasploit)
![Page 18: Browser Exploitation Framework (BeEF) Lab TEAM 4 : ABDULAZIZ ALHASSAN, LAMA AL SUWAYAN, XIN PENG, SHISHUANG SHU AND YUYAN ZHANG](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d745503460f94a53893/html5/thumbnails/18.jpg)
Delivering Payload to VictimDelivering Payload to Victim
18
Demo (Firefox Add-on -
Fake Flash Update)
![Page 19: Browser Exploitation Framework (BeEF) Lab TEAM 4 : ABDULAZIZ ALHASSAN, LAMA AL SUWAYAN, XIN PENG, SHISHUANG SHU AND YUYAN ZHANG](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d745503460f94a53893/html5/thumbnails/19.jpg)
Shellshock Scenario
19
Demo (Shellshock using BeEF)
![Page 20: Browser Exploitation Framework (BeEF) Lab TEAM 4 : ABDULAZIZ ALHASSAN, LAMA AL SUWAYAN, XIN PENG, SHISHUANG SHU AND YUYAN ZHANG](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d745503460f94a53893/html5/thumbnails/20.jpg)
Final Remarks
20
Video Guide
Learning Tool
Happy Hacking !
![Page 21: Browser Exploitation Framework (BeEF) Lab TEAM 4 : ABDULAZIZ ALHASSAN, LAMA AL SUWAYAN, XIN PENG, SHISHUANG SHU AND YUYAN ZHANG](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d745503460f94a53893/html5/thumbnails/21.jpg)
Q & A
21
![Page 22: Browser Exploitation Framework (BeEF) Lab TEAM 4 : ABDULAZIZ ALHASSAN, LAMA AL SUWAYAN, XIN PENG, SHISHUANG SHU AND YUYAN ZHANG](https://reader038.vdocuments.net/reader038/viewer/2022103123/56649d745503460f94a53893/html5/thumbnails/22.jpg)
References
22
Alcorn, W., Frichot, C., The Browser Hacker’s Handbook. 2014
Anley, C., Heasman, J., Linder, F., Richarte, G., The Shellcoder’s Handbook. 2007.
Weidman, G., Penetraton Testing: A Hand-On Introduction to Hacking. 2014.
https://github.com/beefproject/beef/wiki
http://www.advancedpentest.com/help-install-kali-linux
http://www.offensive-security.com/metasploit-unleashed