Okay, what do you think will happen if I click
on this link? Will my computer crash? Will my Facebook get hacked? Let's see. Check this out, this looks like a normal page
with a YouTube video embedded. And I can play the youtube video from this
page. But what actually happened when I clicked
this link is that my browser got hooked to the hacker's command and control server. And now the hacker can control my browser. Or at-least this particular tab. Let me switch to the hacker's perspective
to see what can be done.
This is the hacker's perspective and what
you see here is interface of the Browser Exploitation Framework, short for BeEF. Before continuing with the video, let me make
something very clear. This Browser Exploitation Framework is a tool
used by real hackers and read teamers. If you want to use it, feel free – it's open
source. But do not use it with ill intent. You can use it to hack yourself and learn
how things work. But never ever use it to hack others without
their consent, you could even end up behind the bars if you do that. So once again, this video is only made for
educational purposes, so take it the right away. Educate others about threats like this. Okay, coming back to the BeEF control panel. On the left side, you can see the browser
that is hooked, and you can right away see all the information about that browser, like
the browser capabilities, IP address, User Agent, Time Zone, Cookies, etc. Okay, so why did this happen? Well, it's really simple. The javascript on the link that we clicked
simply connected itself to the BeEF framework that is running on the hacker's computer.
This is actually not a big deal, because it
is the intended functionality of javascript. It creates a way to write instructions that
will be executed by the browser. That is just JAVASCRIPT! So with the BeEF framework, what I can do
is I can first make someone click on a link that runs some javascript on their browser
, and then I can connect to this javascript instance from my BeEF control panel, this
is called "hooking" So let's see what I can do on the hooked browser. In the commands tab, there are different type
of commands that can be executed. Let me go ahead and execute the Google Phishing
module under Social Engineering. As soon as I execute it, you can see on the
victim's browser the web page turns into a Gmail Login Page like this.
It doesn't redirect to a new URL, but it just
changes the content inside the web page. It's obviously a fake Gmail page, and if you
put your credentials in there, they are captured and sent to the hacker. So, If I just come back to my BeEF control
panel, I can find the entered credentials. Okay, I'm pretty sure YOU wouldn't fall for
something like this. But what about your dad, or your mom, or your
grandparents? They most probably would fall victim for an
attack like this, just because they may not be so well versed with computers like you
and me.
So, take this as an opportunity to teach them
how to stay safe on the Internet. I mean, you don't have to ask them to get
a CS degree, but just tell them the basic things they need to check when submitting
sensitive information online .. like, checking if the website has a secure connection, cross-checking
the domain name of the website, etc. There's another module in Beef that will let
you know if the hooked browser is logged into any social media like Facebook, Twitter and
Gmail. This can be used for enumeration so that the
hacker can find out if the victim is logged in to any social networking sites, and then
he can use the "pretty theft" module to show a fake "session timeout" message asking for
the user credentials to login again. Once again, obviously this is a fake popup
and the credentials entered here are just sent back to the hacker.
There are multiple social engineering attacks
like this that the hacker can perform using BeEF. If there's anything that makes browser attacks
like this even worse, it is using an out-dated browser. It is always advised that you use a browser
which is regularly maintained and updated. For example, here I have a windows 7 vm which
has Internet Explorer 8 installed. This is an out-dated browser and Microsoft
stopped the support for this a long time ago. I have hooked this browser to my BeEF panel,
and guess what, I can execute a module that gets the contents inside the user's clipboard. That's right. This clipboard data can contain sensitive
information like passwords, and all it takes for a hacker to steal them is to make you
click on a link, and that's it.
The contents in your clipboard are now compromised. This obviously doesn't work in modern browsers
like Chrome or Firefox. What makes the Browser Exploitation framework
even more dangerous is when it is used parallelly with Man In the Middle attack. In Man in the Middle attack, a hacker places
himself between you and your Router using a technique known as ARP spoofing. So instead of sending your Internet traffic
to your Router, you are sending it to the man in the middle without even knowing it. The hacker can now see and even modify the
internet data you are sending as well as receiving. So before forwarding the website responses
to you, the hacker modifies them and injects the Javascript that is responsible for hooking
your browser with the hacker's computer. As a result, BeEF can now interact and control
all the websites that you are using in your browser, which is, as you'd expect – GAME
OVER. As a demonstration, I setup a man in the middle
attack such that all the traffic between my windows 11 vm and the Internet is forwarded
through a proxy tool that is running on my kali linux vm using ARP spoofing.
I've then written a python script that automatically
injects the malicious javascript for hooking, into any page that is intercepted by the proxy
tool. So now when I open the browser in my windows
11 vm and go to any website that doesn't have https, the hook.js file is successfully injected
into the page by the proxy tool that is running on my kali linux. Once the js file is injected, it means that
the browser is successfully hooked to BeEF through that particular web page. To see what it can do, let me go to my sample
wordpress website. You can see that I'm authenticated, as in,
logged in to my wordpress admin dashboard. Coming back to the Beef control panel, I can
now easily retrieve the cookies of my wordpress session.
Even more convenient, I can add a new Administrator
account to my wordpress since its already authenticated on the hooked browser. Once the user is added, I can simply login
to the wp-admin dashboard using the newly created account and boom! I now own this wordpress website. This is just one of the things that can be
done when using BeEF in conjunction with Man In The Middle Attack, there are many other
things that can be done. The best practices to stay safe from such
browser attacks are – Use a modern, updated browser at all times
– Secure your Home network with a strong password – And try to avoid using websites that have
no HTTPS connection. They are vulnerable to Man in the Middle attacks. If you want to read a more technical version
of this video, I will leave a link to my blog post in the description below.
So make sure you check it out. Thanks for watching.
