1
00:00:00,330 --> 00:00:07,650
Welcome to Part 10 of this module the subject for this video is going to be client side exploitation

2
00:00:07,650 --> 00:00:09,780
using the beef framework.

3
00:00:09,780 --> 00:00:14,130
Beef is short for the Browser Exploitation framework.

4
00:00:14,130 --> 00:00:19,260
Simply put it is a penetration testing tool that focuses on the web browser.

5
00:00:19,320 --> 00:00:24,930
At this point you may be wondering what this tool is doing in the module covering met a split.

6
00:00:25,080 --> 00:00:32,280
Well to begin with I had to put it somewhere and it is often used in conjunction with met a split as

7
00:00:32,280 --> 00:00:33,660
we'll see a bit later.

8
00:00:33,660 --> 00:00:37,260
So what does client side exploitation actually mean.

9
00:00:37,260 --> 00:00:44,610
Simply put it is the process of attacking a client more specifically the operating system and the programs

10
00:00:44,610 --> 00:00:47,070
that are installed on the target computer.

11
00:00:47,070 --> 00:00:53,480
The main objective is to find exploits that run on the client's operating system and exploit them.

12
00:00:53,490 --> 00:00:59,190
So in that way it's very much like met exploited and we're going to start off by looking at how to use

13
00:00:59,190 --> 00:01:02,670
beef to exploit browser based vulnerabilities.

14
00:01:02,670 --> 00:01:09,660
And once we have a firm grasp of what beef is and the basics of how it works then we're going to transition

15
00:01:09,690 --> 00:01:14,240
and look into how it is used in conjunction with the menace plate framework.

16
00:01:14,310 --> 00:01:20,640
So beef is a tool that is like I said very similar to met a split right off the bat in that we use it

17
00:01:20,640 --> 00:01:22,950
to find vulnerabilities in browsers.

18
00:01:22,950 --> 00:01:31,710
Our goal is to hook these browsers using exploits much in the same way that we use MSF console to attack

19
00:01:31,710 --> 00:01:34,530
the operating system and its apps directly.

20
00:01:34,530 --> 00:01:39,660
It allows for the performance of phishing attacks and it runs on a web interface.

21
00:01:39,660 --> 00:01:46,320
This means that to make it work against a target during a penetration test some degree of social engineering

22
00:01:46,320 --> 00:01:52,830
on your part is going to be needed even if it is only to entice the target to click a malicious link.

23
00:01:52,860 --> 00:01:57,960
Before we begin it is important to go over a couple of basic prerequisites.

24
00:01:57,990 --> 00:02:02,640
I realize this will seem repetitive to those of you who have been following along with these videos

25
00:02:02,640 --> 00:02:04,640
in order but it is important.

26
00:02:04,650 --> 00:02:07,350
So I'll try to get through this quickly okay.

27
00:02:07,380 --> 00:02:11,580
First of all we're going to be running this on a client.

28
00:02:11,580 --> 00:02:14,280
There will be no met a split able to this time.

29
00:02:14,370 --> 00:02:21,150
Instead our target is going to be a Windows 7 Service Pack 1 virtual machine which you may remember

30
00:02:21,150 --> 00:02:23,730
from the prior video was Bob's computer.

31
00:02:23,730 --> 00:02:29,160
Bob being our our fictional target that we're going to be using these exploits against as we walk through

32
00:02:29,160 --> 00:02:31,470
the social engineering aspect of beef.

33
00:02:31,470 --> 00:02:39,240
If you want to follow along with this video a virgin installation of Windows 7 without any updates running

34
00:02:39,240 --> 00:02:42,750
in a second virtual box instance should work just fine.

35
00:02:42,750 --> 00:02:48,300
The browser that we will be attempting to hook and then exploit is going to be a Mozilla Firefox and

36
00:02:48,300 --> 00:02:53,670
I should hasten to add that you can use beef against pretty much any operating system that runs a modern

37
00:02:53,670 --> 00:02:54,740
browser.

38
00:02:54,750 --> 00:02:57,720
Windows 7 is just for the purposes of easy demonstration.

39
00:02:57,750 --> 00:03:04,260
Now obviously the more updated an operating system is the fewer exploits will be available for it but

40
00:03:04,260 --> 00:03:08,490
just like met a spoilt new exploits are being found and added almost daily.

41
00:03:08,490 --> 00:03:14,310
Last but not least it is important to remember that we will be performing these steps against a computer

42
00:03:14,310 --> 00:03:17,070
that is on our own local area network.

43
00:03:17,070 --> 00:03:22,710
If you want to use beef against a target over the Internet that you have written permission to penetration

44
00:03:22,710 --> 00:03:26,380
test please see the prior video on port forwarding.

45
00:03:26,400 --> 00:03:32,840
Once you've set that up you just need to use your public IP address in place of your network IP.

46
00:03:32,850 --> 00:03:38,970
All right so let's get started now there are multiple ways that we can load the beef framework.

47
00:03:39,060 --> 00:03:44,820
If you're still using the defaults that came with your Cali Linux installation you'll probably see beef

48
00:03:44,820 --> 00:03:52,050
right here on the dock in the form of this cow icon beef cross site scripting framework which is what

49
00:03:52,110 --> 00:03:53,890
ex SS denotes.

50
00:03:53,940 --> 00:04:00,960
Now we could just click on that or we could go up to applications exploitation tools and we'll find

51
00:04:00,960 --> 00:04:02,750
beef right under Armitage.

52
00:04:02,820 --> 00:04:07,410
So we're gonna go ahead and launch beef and it's going to take a few seconds to load and as part of

53
00:04:07,410 --> 00:04:08,250
the process.

54
00:04:08,280 --> 00:04:13,500
It's going to open up the browser window which in this case is going to be Firefox.

55
00:04:13,560 --> 00:04:19,800
Unless you've specifically changed your default browser for Calleigh I have to point out that sometimes

56
00:04:20,250 --> 00:04:27,360
particularly on older machines you may get a tab saying that you were unable to connect as I think we'll

57
00:04:27,360 --> 00:04:29,030
see here in just a moment.

58
00:04:29,070 --> 00:04:29,330
Yeah.

59
00:04:29,340 --> 00:04:30,060
Here we go.

60
00:04:30,060 --> 00:04:34,920
If this happens just click the Refresh button and try again.

61
00:04:34,950 --> 00:04:39,430
And after one or two tries you should see the beef log in screen.

62
00:04:39,570 --> 00:04:45,420
Now I'm sorry to say that I don't quite know why this is an issue on some systems but it seems like

63
00:04:45,420 --> 00:04:52,110
in some cases the framework is slower to load than the browser that is trying to connect to the framework

64
00:04:52,110 --> 00:04:53,680
prior to it loading.

65
00:04:53,820 --> 00:05:00,310
Now faster computers shouldn't encounter this issue but in virtual box it tends to be more likely incidentally

66
00:05:00,340 --> 00:05:06,840
the user name and password combination for the authentication screen is going to be beef for both fields.

67
00:05:06,940 --> 00:05:12,700
But don't worry about that just yet before we actually dive in I want to take a moment to show you how

68
00:05:12,700 --> 00:05:18,670
to load beef from the terminal because it's a little different than other Kali tools.

69
00:05:18,670 --> 00:05:24,100
And if you're running beef on a virtual private server or something of that nature this information

70
00:05:24,100 --> 00:05:25,560
is going to be important.

71
00:05:25,600 --> 00:05:33,490
So to do this we just type City Forward slash user flow forward slash share forward slash beef dash

72
00:05:33,670 --> 00:05:43,240
ex SS then list the files and then we can see that there is the beef executable listed in green.

73
00:05:43,270 --> 00:05:50,620
It's actually a script so we would do period forward slash beef and that would launch it from the terminal

74
00:05:50,620 --> 00:05:50,980
window.

75
00:05:50,980 --> 00:05:53,410
Now this is going to be important later on.

76
00:05:53,410 --> 00:06:00,520
So there there is a reason why I'm showing this now but we've already got it loaded so let's go ahead

77
00:06:00,610 --> 00:06:02,440
and get started.

78
00:06:02,530 --> 00:06:06,700
Now it's going to display some information here that is very important.

79
00:06:06,820 --> 00:06:13,400
As mentioned at the start of this video beef is used to hook a browser but what does that mean exactly.

80
00:06:13,420 --> 00:06:20,320
The hooking process is essentially getting the target to click a link containing the hook JavaScript

81
00:06:20,320 --> 00:06:21,080
file.

82
00:06:21,100 --> 00:06:27,760
The path to which you can see in the highlighted text this file can be edited as we'll see in a moment.

83
00:06:27,760 --> 00:06:34,090
Once the target does click this link it will tie their browser back to the beef server.

84
00:06:34,090 --> 00:06:40,120
In other words the target clicks a bad link containing the Java hook at which point their browser is

85
00:06:40,210 --> 00:06:45,730
hooked and tied back to the beef server which is going to be running on our Cowling installation for

86
00:06:45,730 --> 00:06:46,930
this demonstration.

87
00:06:46,930 --> 00:06:51,860
The first piece of information presented to us is the UI panel U.R.L..

88
00:06:51,970 --> 00:06:53,880
This is what opens up the browser.

89
00:06:53,890 --> 00:07:01,620
When we initially launched beef this is going to be the the local IP and it's going to be 127 0 0 0

90
00:07:01,650 --> 00:07:04,050
0 1 and port 3000.

91
00:07:04,060 --> 00:07:11,040
So if we go back to our browser we can see that the U.R.L. for the authentication Page is the same.

92
00:07:11,080 --> 00:07:14,910
Next I want to call your attention to the hook line for the hook.

93
00:07:14,950 --> 00:07:17,990
We have a U.R.L. leading to a javascript file.

94
00:07:18,010 --> 00:07:20,110
This is the important part.

95
00:07:20,140 --> 00:07:24,460
It is a java file that you would include in a web page.

96
00:07:24,610 --> 00:07:28,910
The target clicks the link visits the page triggers the script and then they're hooked.

97
00:07:28,930 --> 00:07:33,540
It is at this point that you have to decide how you want to run this.

98
00:07:33,550 --> 00:07:40,840
Now for this tutorial we will be using an Apache server from within Cali Linux to host the files for

99
00:07:40,840 --> 00:07:42,880
our fishing link in the real world.

100
00:07:42,880 --> 00:07:46,800
This is probably a very bad idea for quite a few reasons.

101
00:07:46,810 --> 00:07:54,970
Now you could for instance setup a virtual private server anonymously as has been spoken off before

102
00:07:55,000 --> 00:07:58,910
and will go over that again in more detail later in this class.

103
00:07:58,960 --> 00:08:06,040
A free and disposable service might even work for something this simple or possibly a small Raspberry

104
00:08:06,040 --> 00:08:11,220
Pi or something of that sort out in the world that is setup to act as a server.

105
00:08:11,230 --> 00:08:16,720
There are a lot of possibilities and I leave it to you to decide how you want to actually implement

106
00:08:16,720 --> 00:08:23,500
this for your own penetration tests but again for demonstration purposes and to keep things as simple

107
00:08:23,500 --> 00:08:30,070
as possible we'll be doing all of this from within Cali so just keep in mind that if you decide this

108
00:08:30,070 --> 00:08:36,520
method is the one you prefer it won't be very anonymous and you will need to set up port forwarding

109
00:08:36,820 --> 00:08:38,680
for any non-local clients.

110
00:08:38,680 --> 00:08:41,410
So now we're going to go ahead and copy this hook line.

111
00:08:41,410 --> 00:08:42,880
Actually we don't need hook.

112
00:08:42,880 --> 00:08:44,850
We just need the line itself.

113
00:08:45,810 --> 00:08:46,770
So we'll highlight it.

114
00:08:48,630 --> 00:08:54,140
Copy and now we'll need to grab our local IP address with IMF config.

115
00:08:54,180 --> 00:09:04,080
Mine is going to be tender 0 0 about 7 and yours will almost certainly vary and then we need to start

116
00:09:04,110 --> 00:09:05,460
the Apache service.

117
00:09:05,460 --> 00:09:06,850
This is very important.

118
00:09:06,930 --> 00:09:08,120
If you don't do this.

119
00:09:08,220 --> 00:09:11,630
Nothing else shown in this tutorial is going to work.

120
00:09:11,820 --> 00:09:15,120
So don't forget we're going to do service.

121
00:09:15,450 --> 00:09:18,890
Apache to start simple as that.

122
00:09:19,050 --> 00:09:24,290
Now with the web server started we need to edit the web page file that is stored on our web server and

123
00:09:24,300 --> 00:09:27,520
that can be found by going to your file explorer.

124
00:09:27,570 --> 00:09:29,220
Clicking other locations

125
00:09:32,540 --> 00:09:33,170
computer

126
00:09:37,280 --> 00:09:37,820
for

127
00:09:40,980 --> 00:09:45,020
WW W and then we open up the HD Hamel folder.

128
00:09:46,380 --> 00:09:52,680
Now here is the default web page that is used with Apache.

129
00:09:52,710 --> 00:09:59,430
Now you could use this but it's really not suitable for our purposes because it gives the game away

130
00:09:59,430 --> 00:10:01,340
of what we're trying to do.

131
00:10:01,380 --> 00:10:08,070
So if you want to keep these go ahead and backup these two files somewhere else if you don't care or

132
00:10:08,070 --> 00:10:14,670
once that's done we're gonna go ahead and we're going to delete this second one.

133
00:10:14,990 --> 00:10:21,780
We're going to keep index HMO and we're going to go ahead we're going to right click on index HCM mountain

134
00:10:21,800 --> 00:10:28,120
we're going to select open with other application and we're going to be selecting leaf pad.

135
00:10:28,130 --> 00:10:34,610
And if you don't see leaf pad here is an option just click view all applications and it should come

136
00:10:34,610 --> 00:10:37,460
up in the list of available programs.

137
00:10:37,520 --> 00:10:44,300
Now as I said this web page that comes as a default is really not particularly good for what we're trying

138
00:10:44,300 --> 00:10:45,180
to do.

139
00:10:45,380 --> 00:10:54,060
So we're gonna go ahead and we're going to delete all of this and then I'm gonna say brackets

140
00:10:56,730 --> 00:11:01,140
Doc type each team now close bracket.

141
00:11:01,230 --> 00:11:04,200
You can follow along if you wish.

142
00:11:04,200 --> 00:11:11,410
Or you can create your own small website.

143
00:11:11,640 --> 00:11:13,060
I'll try to do this quickly.

144
00:11:13,140 --> 00:11:17,560
You'll say the title for a for her.

145
00:11:17,630 --> 00:11:20,030
This is again just for demonstration purposes

146
00:11:24,320 --> 00:11:38,450
and we'll give it a body and we're gonna say the server you are trying to reach is currently down for

147
00:11:38,450 --> 00:11:40,120
maintenance.

148
00:11:43,750 --> 00:11:44,480
And then

149
00:11:48,730 --> 00:11:54,420
pardon all these keystrokes and then please try again later.

150
00:11:58,510 --> 00:12:00,850
And also please excuse my typing.

151
00:12:06,130 --> 00:12:17,170
All right so this is an extremely simple Web page and really all it is is we're gonna click file save.

152
00:12:17,390 --> 00:12:25,190
And now when someone navigates to this page they're going to be presented with what looks like a forum

153
00:12:25,190 --> 00:12:30,190
for error telling them that the server they're trying to reach is currently down for maintenance and

154
00:12:30,190 --> 00:12:33,280
we'll ask them to please try again later.

155
00:12:33,290 --> 00:12:40,190
Now the idea here is that we're going to send Bob an email telling him that his great uncles cousins

156
00:12:40,190 --> 00:12:47,870
six times removed has just died and Bob is now the heir to a sizable fortune despite having just fallen

157
00:12:47,870 --> 00:12:50,600
for this trick in the prior video.

158
00:12:50,600 --> 00:12:52,370
Bob is very gullible.

159
00:12:52,370 --> 00:12:57,500
So he's going to click this link and this is essentially the web page that he's going to be presented

160
00:12:57,500 --> 00:12:58,350
with.

161
00:12:58,460 --> 00:13:02,840
He's going to assume that it's down for maintenance and that he needs to check back later so he'll go

162
00:13:02,840 --> 00:13:06,850
about his business and he'll never realize that he's been hooked.

163
00:13:06,880 --> 00:13:09,260
And that's the idea anyway.

164
00:13:09,260 --> 00:13:16,460
But if we want this to be successful we need to include our javascript which is to be placed between

165
00:13:16,460 --> 00:13:24,110
the opening and closing tags so we're just going to click on this empty line here and we're going to

166
00:13:24,110 --> 00:13:24,830
paste

167
00:13:27,420 --> 00:13:29,770
and it's nicer when it lines up with the title.

168
00:13:29,780 --> 00:13:30,670
OK.

169
00:13:31,130 --> 00:13:33,920
Now this is very important.

170
00:13:33,950 --> 00:13:36,050
Don't make the mistake I did.

171
00:13:36,050 --> 00:13:38,730
I had a heck of a time with this.

172
00:13:38,750 --> 00:13:40,420
It's easy to miss.

173
00:13:40,580 --> 00:13:48,350
Notice that the line it gives you presents the IP address between these two brackets and these two brackets

174
00:13:48,350 --> 00:13:49,910
are not supposed to be there.

175
00:13:49,910 --> 00:13:51,550
It's easy to miss.

176
00:13:51,680 --> 00:13:58,970
So we're just going to delete those two brackets and we're going to supply our network IP which in my

177
00:13:58,970 --> 00:14:03,050
case is that yours will vary.

178
00:14:03,050 --> 00:14:11,090
Now if you were doing this over the Internet with port forwarding enabled you would supply your public

179
00:14:11,090 --> 00:14:16,960
IP here and it's going to be port 3000 unless you specify otherwise.

180
00:14:17,180 --> 00:14:27,390
You may also want to specify a particular web U.R.L. but that would be more advanced.

181
00:14:27,470 --> 00:14:31,190
So once this is done we're going to click save.

182
00:14:31,190 --> 00:14:35,000
And now we're going to go over to beef and we're going to log in.

183
00:14:35,000 --> 00:14:42,650
Remember that the user name is beef all lowercase and the password is the same once inside you'll be

184
00:14:42,650 --> 00:14:50,120
presented with this default interface hooked browsers will appear on the left hand panel in either an

185
00:14:50,210 --> 00:14:52,590
online or offline state.

186
00:14:52,670 --> 00:14:57,890
There is a getting started guide of course and a tab for all logs.

187
00:14:57,890 --> 00:15:02,990
Now I might be getting a little ahead of myself here but before we go any further I want to quickly

188
00:15:02,990 --> 00:15:05,870
explain this traffic light system.

189
00:15:05,870 --> 00:15:12,200
Basically once we've hooked a browser and start looking over the exploits that can be used against it

190
00:15:12,680 --> 00:15:19,760
you'll notice that they all have colored circles next to them yellow circles mean that the exploit or

191
00:15:19,820 --> 00:15:26,450
module as it were will function against the target in a way that is theoretically invisible to the target

192
00:15:26,450 --> 00:15:27,420
user.

193
00:15:27,440 --> 00:15:32,540
In other words Bob won't know anything is happening when we launch the exploit against him.

194
00:15:32,600 --> 00:15:38,450
He won't see anything on his screen that is out of the ordinary or that might give the game away.

195
00:15:38,540 --> 00:15:43,930
Now orange on the other hand means that the exploit is available against that particular target.

196
00:15:43,970 --> 00:15:51,110
But some things that you do may end up being visible on the user's screen or might otherwise tip off

197
00:15:51,110 --> 00:15:52,340
the user.

198
00:15:52,340 --> 00:15:57,920
The only thing I can really say here is that I recommend you practice on your own with these sorts of

199
00:15:57,920 --> 00:16:01,580
exploits so that you know what you're doing and you know what they do.

200
00:16:01,670 --> 00:16:06,610
And that way you won't make little mistakes that will tip off the target user.

201
00:16:06,650 --> 00:16:11,180
You need to be cautious when using them but they can't get the job done.

202
00:16:11,240 --> 00:16:16,540
Now Gray at least I think that color is gray.

203
00:16:16,550 --> 00:16:17,850
Maybe it's more white.

204
00:16:17,900 --> 00:16:23,650
In any case means that the module is yet to be verified against the target.

205
00:16:23,720 --> 00:16:26,060
It might work it might not.

206
00:16:26,060 --> 00:16:30,670
You should always treat any gray module as also being orange.

207
00:16:30,800 --> 00:16:37,610
Your actions while using it may or may not be visible to the target user assuming that it works at all.

208
00:16:37,850 --> 00:16:44,150
And of course red means that the module isn't going to work against the target depending on how up to

209
00:16:44,150 --> 00:16:45,570
date your target is.

210
00:16:45,620 --> 00:16:49,820
You may see a lot of potential exploits coming up in red.

211
00:16:49,820 --> 00:16:55,970
So here we are in a Windows 7 virtual environment like I said this is just standard windows professional

212
00:16:55,970 --> 00:17:03,920
service pack 1 installed with the latest version of Firefox no updates no bells and whistles nothing

213
00:17:03,920 --> 00:17:04,640
fancy.

214
00:17:04,640 --> 00:17:10,100
And we're going to go ahead and we're going to load up Firefox and this would work with pretty much

215
00:17:10,160 --> 00:17:10,880
any browser.

216
00:17:10,880 --> 00:17:11,430
By the way.

217
00:17:11,630 --> 00:17:14,750
So it's time to hook our first browser.

218
00:17:14,750 --> 00:17:19,310
Let's pretend that this Windows 7 computer belongs to Bob.

219
00:17:19,490 --> 00:17:22,880
We just sent Bob a link that he's going to click on.

220
00:17:22,890 --> 00:17:28,990
Now maybe we did this by email once again pretending that he just inherited millions of dollars.

221
00:17:29,150 --> 00:17:31,820
Or maybe we tricked him in some other kind of a way.

222
00:17:31,820 --> 00:17:38,960
The point is this link is going to open up the web browser and cause the browser to connect to our bogus

223
00:17:38,960 --> 00:17:43,830
Web site which we're running on Apache to back on our Kelly Linux machine.

224
00:17:43,970 --> 00:17:49,980
When that happens beef is going to hook the browser and then we can go ahead and exploit it.

225
00:17:50,000 --> 00:17:58,240
So to simulate this we're just going to go ahead and we're going to type in the U.R.L. so in this fictional

226
00:17:58,240 --> 00:18:04,060
scenario Bob just clicked on the link and reached this page telling him that the Web site is currently

227
00:18:04,060 --> 00:18:05,260
down.

228
00:18:05,260 --> 00:18:10,310
Bob is disappointed but will go about his business and try again later.

229
00:18:10,390 --> 00:18:14,470
Now we could have been more complex here if we wanted to be.

230
00:18:14,740 --> 00:18:22,600
For example we could code up an entire functional Web site including the javascript hook code and then

231
00:18:22,600 --> 00:18:25,430
host it somewhere out there on the Internet.

232
00:18:25,720 --> 00:18:32,320
Unethical black hat types may even download an existing web site just lock stock and barrel and then

233
00:18:32,380 --> 00:18:40,000
host the copy including the bad JavaScript file the hook to fool people who visit it like Bob and hook

234
00:18:40,000 --> 00:18:48,130
their browsers particularly unethical black hat types might even hack into an existing web site and

235
00:18:48,220 --> 00:18:52,650
add the hook and then just otherwise leave it untouched.

236
00:18:52,780 --> 00:18:56,840
Turning the Web site into a trap for browsers that come to visit it.

237
00:18:56,920 --> 00:19:02,500
The point is this demonstration just has our victim looking at a forum for error.

238
00:19:02,680 --> 00:19:06,730
But you can get as creative as your skills and resources allow.

239
00:19:06,730 --> 00:19:10,220
Just remember to be ethical and lawful.

240
00:19:10,370 --> 00:19:13,710
Let's go ahead and flip back over to Kelly.

241
00:19:13,740 --> 00:19:17,580
Here we can see that we've successfully hooked Bob's browser.

242
00:19:17,580 --> 00:19:18,970
We click on it.

243
00:19:19,080 --> 00:19:26,010
We can get all sorts of useful information all of which is visible under the details tab browser version

244
00:19:26,120 --> 00:19:33,930
browser to language browser platform the window size the browser components for example is it running

245
00:19:33,930 --> 00:19:35,570
Adobe Flash.

246
00:19:35,700 --> 00:19:42,050
No which means that Adobe Flash exploits aren't going to work against it.

247
00:19:43,110 --> 00:19:49,680
We keep going down the second category tells us about the web page we used as a hook.

248
00:19:49,680 --> 00:19:56,490
And finally some other useful details such as screen size and whether or not the device is a touch screen

249
00:19:56,550 --> 00:19:59,570
which will affect some of our exploits.

250
00:19:59,580 --> 00:20:02,970
Now it's time to look at the exploitation side of things.

251
00:20:02,970 --> 00:20:09,930
Keep in mind that every browser whether it be Firefox or Internet Explorer or Google Chrome is going

252
00:20:09,930 --> 00:20:13,590
to have different vulnerabilities depending on its version.

253
00:20:13,590 --> 00:20:16,200
Some exploits will have been patched.

254
00:20:16,200 --> 00:20:19,330
Others may come to exist in the future.

255
00:20:19,380 --> 00:20:23,350
Beef can be very powerful if you find a vulnerability that works.

256
00:20:23,430 --> 00:20:25,430
It's just not a guarantee.

257
00:20:25,440 --> 00:20:29,690
So we click commands because that is where all the modules are stored.

258
00:20:29,910 --> 00:20:31,430
And just like met a split.

259
00:20:31,460 --> 00:20:35,650
It's all nicely organized for us into folders.

260
00:20:35,670 --> 00:20:38,310
Let's look at a couple of things under browser.

261
00:20:38,370 --> 00:20:45,210
Now remember the traffic light symbol that I explained before and keep it in mind because some of the

262
00:20:45,210 --> 00:20:49,650
actions that you perform may be visible toward target user Bob.

263
00:20:49,650 --> 00:20:56,550
Notice that some of these have the green light whereas others have the gray or white depending on your

264
00:20:56,550 --> 00:20:57,960
interpretation.

265
00:20:58,050 --> 00:21:04,220
And if we scroll down we should see orange and red.

266
00:21:04,220 --> 00:21:05,920
There are a lot of things that we could do here.

267
00:21:05,920 --> 00:21:13,970
For example we could play a sound on the target computer but we would need to specify a file path for

268
00:21:13,970 --> 00:21:14,890
it.

269
00:21:14,900 --> 00:21:18,710
Remember this one for when you're done with your penetration test.

270
00:21:18,710 --> 00:21:25,670
We could activate the target's webcam although this does not happen automatically now because this exploit

271
00:21:25,730 --> 00:21:29,540
uses Adobe Flash and we know that Bob doesn't have it installed.

272
00:21:29,540 --> 00:21:33,950
This isn't really going to work but I'm going to execute it anyway to give you an idea of what this

273
00:21:33,950 --> 00:21:36,310
looks like from Bob's end.

274
00:21:36,410 --> 00:21:44,120
So if we click execute we can see that the command was sent and now we're going to bounce over to the

275
00:21:44,120 --> 00:21:49,280
windows 7 machine and we can see that Bob has received this message.

276
00:21:49,280 --> 00:21:54,320
This Web site is using Adobe Flash in order to work with the programming framework.

277
00:21:54,320 --> 00:22:00,640
This Web site is using you need to allow the Flash player settings if you are new to Ajax and each email

278
00:22:00,640 --> 00:22:03,340
5 features in conjunction with Adobe Flash Player.

279
00:22:03,380 --> 00:22:05,150
It will increase your user experience.

280
00:22:05,150 --> 00:22:10,490
Basically this is trying to trick bob into enabling flash.

281
00:22:10,490 --> 00:22:16,310
He doesn't have it installed so it's not really going to work but with some users this might work and

282
00:22:16,310 --> 00:22:18,470
we could change this text here.

283
00:22:18,470 --> 00:22:31,960
For example we come over here we could change the title to please install Adobe Flash and we could change

284
00:22:31,960 --> 00:22:33,850
the text to anything we want

285
00:22:38,350 --> 00:22:44,800
this Web site requires the latest version of Adobe

286
00:22:47,310 --> 00:22:49,760
Flash Player.

287
00:22:50,460 --> 00:23:06,110
Please download from this completely evil link to our Trojan horse and then we execute it.

288
00:23:07,380 --> 00:23:12,300
Command sent and we can see that the new message has been displayed for Bob.

289
00:23:12,300 --> 00:23:19,140
So now hopefully Bob falls for this and then we provided a link we didn't really but we could have two

290
00:23:19,140 --> 00:23:25,600
a web page with a version of Adobe Flash that is Trojan sized by us.

291
00:23:25,620 --> 00:23:30,310
So this is an example of one way you can socially engineer a target.

292
00:23:30,540 --> 00:23:32,670
Okay so that was one example.

293
00:23:32,670 --> 00:23:42,210
Now let's try one of these gray ones detective DLC we'll see if Bob's computer is running VRC that will

294
00:23:42,210 --> 00:23:44,990
tell us if we can use relevant exploits.

295
00:23:45,030 --> 00:23:51,980
It's gray so we don't know if Bob will see anything or not for sure we execute bounce back over to Windows.

296
00:23:51,980 --> 00:23:59,500
Bob saw nothing click on command to and we can see that we'll see equals no.

297
00:23:59,500 --> 00:24:03,050
So the ELC player is not currently installed.

298
00:24:03,060 --> 00:24:06,120
Now let's go ahead and detect Windows Media Player.

299
00:24:06,210 --> 00:24:15,020
This one is green so we know it should be invisible command sent clip command Windows Media Player was

300
00:24:15,020 --> 00:24:21,070
not detected which is unusual because this is a new version of Windows so it should be there.

301
00:24:21,080 --> 00:24:23,630
But maybe it's just because it's not been setup yet.

302
00:24:23,630 --> 00:24:25,670
And once again Bob saw nothing.

303
00:24:25,670 --> 00:24:29,000
Now let's try get visited you are ls.

304
00:24:29,210 --> 00:24:31,020
This can be a useful one.

305
00:24:31,160 --> 00:24:43,820
Here we just type in a particular U.R.L. for example WW w DOD Facebook dot com and execute.

306
00:24:43,900 --> 00:24:49,780
This might be very useful if your goal was to obtain Bob's Facebook credentials and then attempt to

307
00:24:49,780 --> 00:24:54,130
take over his browser to sidestep two factor authentication.

308
00:24:54,160 --> 00:24:56,590
We can see that the answer has come back false.

309
00:24:56,680 --> 00:25:03,700
Again this is a newly installed version of Windows so perhaps I should visit Facebook but you get the

310
00:25:03,700 --> 00:25:04,640
idea.

311
00:25:04,780 --> 00:25:11,200
But the last thing to say about this first category under browser it's worth using a few of these modules

312
00:25:11,200 --> 00:25:18,520
first such as detect toolbars detect a media player and so on to gather information about the target

313
00:25:18,550 --> 00:25:25,180
before we attempt to use any exploits detect pop up blocker is a particularly good one because pop up

314
00:25:25,180 --> 00:25:32,440
blockers will screw up quite a few of the social engineering exploits that rely you to supply some sort

315
00:25:32,440 --> 00:25:38,710
of flavor text to trick the target into doing something similar to what we just saw with the Adobe Flash

316
00:25:38,710 --> 00:25:39,560
Player.

317
00:25:39,560 --> 00:25:42,280
So now we're going to go into hooked domain.

318
00:25:42,270 --> 00:25:44,290
And here we can see even more exploits.

319
00:25:44,320 --> 00:25:47,560
Most of them with the green traffic light.

320
00:25:47,560 --> 00:25:54,880
We can try to get a session cookie grab a page and an eye frame redirect to the browser replace videos

321
00:25:54,940 --> 00:25:59,480
that last one will do what is called a Rick Roll by default.

322
00:25:59,620 --> 00:26:01,800
If you aren't old enough to know what that is.

323
00:26:01,800 --> 00:26:06,100
By all means Google it and scroll down a bit.

324
00:26:06,130 --> 00:26:13,330
Session stores and cookies are useful for obvious reasons of course and they may contain log in information.

325
00:26:13,330 --> 00:26:20,230
Let's now turn our attention to exploits exploits are mostly concerned with taking over systems home

326
00:26:20,230 --> 00:26:23,260
routers and the like active x.

327
00:26:23,290 --> 00:26:30,220
So if the user has active X installed we can attempt to exploit that cameras on the local network rather

328
00:26:30,220 --> 00:26:32,680
than the webcam on the computer.

329
00:26:32,680 --> 00:26:39,670
In other words for example CCTV cameras and that sort of thing hosts again has more intelligence gathering

330
00:26:39,910 --> 00:26:47,260
trying to grab a physical location or a geo location trying to get the Internet IP of the computer and

331
00:26:47,260 --> 00:26:52,030
what IP ranges to potentially attack for other computers on its network.

332
00:26:52,030 --> 00:26:54,000
OK you get the idea now.

333
00:26:54,010 --> 00:27:00,850
One thing that needs to be pointed out is that if the user who is still Bob in this case browses away

334
00:27:00,850 --> 00:27:07,170
from the hooking web page like so and then we refresh.

335
00:27:07,360 --> 00:27:13,150
Notice that Bob's browser has gone from online to offline.

336
00:27:13,150 --> 00:27:24,440
This means that it is no longer hooked so if we go back we can see that we have re hooked the browser

337
00:27:24,440 --> 00:27:25,290
once again.

338
00:27:25,510 --> 00:27:31,070
So the point here is you need to keep your target on the web page for a while.

339
00:27:31,070 --> 00:27:37,230
And this really is the fundamental art and Achilles heel of beef.

340
00:27:37,280 --> 00:27:42,890
That is why to get the most out of this framework you were really going to have to present some kind

341
00:27:42,890 --> 00:27:49,160
of a fake page that holds the user's attention long enough for you to do whatever it is you plan to

342
00:27:49,160 --> 00:27:50,390
do.

343
00:27:50,390 --> 00:27:58,160
There is an alternative to that however we can attempt to redirect the target browser somewhere else

344
00:27:58,220 --> 00:28:00,750
while keeping it hooked into beef.

345
00:28:00,950 --> 00:28:08,380
That will eliminate the problem of pub browsing away but it's not necessarily easy to pull off.

346
00:28:08,390 --> 00:28:14,720
So once again we're going to go into Command's browser hooked domain and we're going to go down to redirect

347
00:28:14,720 --> 00:28:19,460
browser parentheses ie frame now to do this.

348
00:28:19,490 --> 00:28:27,210
We're going to need to give the module our IP address where you are L whichever one we are using.

349
00:28:27,260 --> 00:28:35,660
So in my case it's 10 0 0 0 at 7 port three thousand and we're gonna need to give it a web page to redirect

350
00:28:35,660 --> 00:28:36,240
to.

351
00:28:36,320 --> 00:28:38,930
Now I recommend that you test this in advance.

352
00:28:38,930 --> 00:28:45,930
Some pages will detect ie frames and block the redirect which is really a pain.

353
00:28:45,950 --> 00:28:53,270
I noticed that CNN dot com does that but BBC does not.

354
00:28:53,270 --> 00:28:56,120
So I'm going to use BBC for this example

355
00:28:59,250 --> 00:29:01,620
and now we'll click execute.

356
00:29:01,620 --> 00:29:04,990
And as you can see we're now at BBC dot com.

357
00:29:05,220 --> 00:29:12,030
Although the U.R.L. remains the same in this case we're using something called an eye frame to show

358
00:29:12,030 --> 00:29:16,170
BBC dot com while still giving the attacker access to the system.

359
00:29:16,170 --> 00:29:19,950
Now the victim can click any of the links presented on the site.

360
00:29:19,980 --> 00:29:24,680
However the U.R.L. is going to remain the same and the browser will remain hooked.

361
00:29:24,690 --> 00:29:30,420
This affords a penetration tester a little extra time to quickly use whatever information gathering

362
00:29:30,420 --> 00:29:34,810
modules are necessary and then perform the attacks typically.

363
00:29:34,830 --> 00:29:41,100
All of this is scripted though hackers who use beef generally as I said buy a virtual private server

364
00:29:41,430 --> 00:29:49,250
or something of that nature anonymously set up a bad Web page hook browsers and then visit them with

365
00:29:49,250 --> 00:29:53,850
the hooks go to the server and an automated script plays out for each one.

366
00:29:53,850 --> 00:29:57,870
That is why a lot of these bad redirect sites on the Internet exist.

367
00:29:58,020 --> 00:30:04,200
There isn't necessarily a hacker sitting behind a desk personally redirecting the traffic although sometimes

368
00:30:04,200 --> 00:30:04,670
there is.

369
00:30:04,680 --> 00:30:05,690
You have to be careful.

370
00:30:05,700 --> 00:30:09,110
The rest of the time it just has to do with advertising.

371
00:30:09,120 --> 00:30:17,160
In any case as an attacker you can still run any of the modules against the target so long as the browser

372
00:30:17,160 --> 00:30:18,930
remains hooked.

373
00:30:18,930 --> 00:30:23,520
It's also not a bad idea to see if the target is running on a virtual machine or not.

374
00:30:23,580 --> 00:30:30,770
So will click execute and we can see that it is one reason we might want to do that first is that if

375
00:30:30,770 --> 00:30:37,490
an antivirus company were visiting our Web site to test for malicious code we might want to make sure

376
00:30:37,490 --> 00:30:41,630
beef does not run any attacks against virtual machines.

377
00:30:41,630 --> 00:30:44,830
We can see that it is one reason this would be important.

378
00:30:44,870 --> 00:30:53,870
Is that a malicious Web site owner might wish to script beef to check for a virtual environment as the

379
00:30:53,870 --> 00:30:59,750
very first thing it does out of the gate and then not execute any sort of exploits or script against

380
00:30:59,750 --> 00:31:03,260
a target that is operating in a virtual environment.

381
00:31:03,260 --> 00:31:09,650
The reason is that antivirus companies typically test Web sites that they suspect from within the safety

382
00:31:09,650 --> 00:31:11,330
of a virtual box.

383
00:31:11,330 --> 00:31:18,170
We can also get things like geo location and physical location as well as wireless keys but these will

384
00:31:18,170 --> 00:31:20,500
not work against virtualize environment.

385
00:31:20,510 --> 00:31:23,280
In fact a lot of these won't work against a VM anyway.

386
00:31:23,300 --> 00:31:28,070
So checking to see if you're up against one is generally a good first step.

387
00:31:28,070 --> 00:31:31,120
Now there are a couple of other things that we can do so far.

388
00:31:31,130 --> 00:31:36,930
We've taken over the browser and redirected the user to what looks like a normal web page so they can

389
00:31:36,960 --> 00:31:39,290
threaten the user can browse around.

390
00:31:39,290 --> 00:31:46,640
Now imagine that we sent Bob a link to Facebook and he clicked it leaving his mail up the whole time.

391
00:31:46,760 --> 00:31:52,430
We could be attacking the system for the duration under the social engineering category we have another

392
00:31:52,430 --> 00:31:59,120
good example fake flash update is going to try to trick the user into downloading a file that we want

393
00:31:59,120 --> 00:32:00,590
the user to install.

394
00:32:00,620 --> 00:32:05,300
We have to give it our IP and then specify the U.R.L. for the file.

395
00:32:05,300 --> 00:32:07,770
For this example I'm going to leave it alone.

396
00:32:07,790 --> 00:32:11,500
Then we click execute send the command.

397
00:32:11,810 --> 00:32:18,560
Now if we bounce over to Windows 7 we can see that we're being presented or rather Bob is being presented

398
00:32:19,040 --> 00:32:23,420
with the beef master zip which is really not a file you should download.

399
00:32:23,420 --> 00:32:29,660
Of course this is just a demonstration we would replace this with whatever our Trojan horse was.

400
00:32:29,660 --> 00:32:38,300
So if we presented Bob with one of the previous exploits and indicated that he needs to update his flash

401
00:32:38,300 --> 00:32:45,380
media player and then immediately present him with a fake flash update he's quite likely to save the

402
00:32:45,380 --> 00:32:46,720
file and open it.

403
00:32:46,760 --> 00:32:52,250
And of course it probably will be a real flash update but it will contain malicious code which will

404
00:32:52,250 --> 00:32:55,300
further infect the system et cetera et cetera.

405
00:32:55,340 --> 00:32:58,840
So that's another approach that you can take.

406
00:32:58,910 --> 00:33:01,810
Let's take a look at another one Google phishing.

407
00:33:01,820 --> 00:33:06,960
Once again we just give it the attackers IP which is to say our IP address.

408
00:33:09,060 --> 00:33:11,360
Port three thousand execute.

409
00:33:11,370 --> 00:33:18,840
Lo and behold Bob got seamlessly redirected to what appears to be a Google email log in.

410
00:33:18,840 --> 00:33:27,360
This is of course fake but if we put in the user name we don't know let's say test and the password

411
00:33:27,810 --> 00:33:28,420
test.

412
00:33:28,530 --> 00:33:35,220
ABC and then click sign in now it tells us to enter our email or phone.

413
00:33:36,240 --> 00:33:41,850
But notice that we are now at the real Google dot com.

414
00:33:41,850 --> 00:33:44,430
Now if we switch back and check.

415
00:33:44,430 --> 00:33:48,920
Notice that the username and password are displayed test and test.

416
00:33:48,930 --> 00:33:55,070
ABC in clear text and the same technique works against any Web site.

417
00:33:55,100 --> 00:34:03,720
So Facebook other emails banks whatever the target in this case it's still Bob enters his credentials

418
00:34:03,720 --> 00:34:07,200
into a fake site and is then redirected to the real one.

419
00:34:07,240 --> 00:34:12,230
Will you as the attacker get to see that information in plain text.

420
00:34:13,280 --> 00:34:21,790
The only downside of this is that you will lose your hook as the victim is ultimately redirected to

421
00:34:21,790 --> 00:34:24,920
a real web page and the eye frame is lost.

422
00:34:24,940 --> 00:34:31,390
And remember that all this can be scripted which can allow hackers to gather a lot of credentials just

423
00:34:31,390 --> 00:34:32,570
through one Web site.

424
00:34:32,710 --> 00:34:38,260
So I've gone ahead and re hooked our target and now let's take a look at pretty theft.

425
00:34:38,260 --> 00:34:48,790
We can see that we have options for a fake Facebook Linked In windows YouTube Yammer ie OS or just a

426
00:34:48,790 --> 00:34:51,550
generic page that we could customize.

427
00:34:51,550 --> 00:35:01,450
If we do Facebook for example and supply our IP or U.R.L. and we click execute we can see that Bob is

428
00:35:01,450 --> 00:35:04,800
now being presented with a Facebook session timeout.

429
00:35:04,900 --> 00:35:11,050
And this is something that can actually happen on certain sites that connect to Facebook such as for

430
00:35:11,050 --> 00:35:12,310
example a news site.

431
00:35:12,310 --> 00:35:18,020
So depending on where you redirected Bob this might actually have some degree of credibility.

432
00:35:18,040 --> 00:35:24,150
So let's go ahead and enter email at email dot com.

433
00:35:24,280 --> 00:35:28,270
And for the password we will do test.

434
00:35:28,300 --> 00:35:29,140
ABC

435
00:35:33,780 --> 00:35:35,440
and now if we come back over to Kelly

436
00:35:38,900 --> 00:35:42,760
we can see that that information was harvested in plain text.

437
00:35:42,770 --> 00:35:48,890
But so what if we try to log in Facebook will notice that this isn't the computer that Bob usually logs

438
00:35:48,890 --> 00:35:49,450
in from.

439
00:35:49,450 --> 00:35:56,030
And it's going to demand that we get a text message on Bob's phone with a verification code or whatever

440
00:35:56,030 --> 00:35:56,820
other method.

441
00:35:56,840 --> 00:35:59,440
And of course we can't really do that.

442
00:35:59,480 --> 00:36:04,940
And then Bob is going to get prompted by the service and it's going to say hey someone unknown just

443
00:36:04,940 --> 00:36:10,700
tried to log into your account was this you and you should really change your password by the way.

444
00:36:10,700 --> 00:36:15,400
So then our goal would be to take over bomb's browser remotely.

445
00:36:15,590 --> 00:36:16,700
So if we right click

446
00:36:21,320 --> 00:36:29,270
we can see a use as proxy option so that anything we do on our own browser will be routed through his

447
00:36:29,330 --> 00:36:30,800
as a middleman.

448
00:36:30,800 --> 00:36:37,760
In other words it will appear to Facebook as though our target is accessing the service from their own

449
00:36:37,760 --> 00:36:44,520
computer even though it's really us going through that machine using our own browser.

450
00:36:44,570 --> 00:36:52,160
And this technique if successfully achieved will sidestep most forms of two factor authentication because

451
00:36:52,160 --> 00:36:58,000
the social media or the banking side or whatever isn't going to notice that anything is amiss.

452
00:36:58,070 --> 00:37:01,780
So no alarms will be set off at least in theory.

453
00:37:01,820 --> 00:37:03,150
This doesn't always work.

454
00:37:03,170 --> 00:37:05,960
So your mileage may vary.

455
00:37:05,960 --> 00:37:06,310
All right.

456
00:37:06,320 --> 00:37:13,400
So in case it's not abundantly clear yet don't go clicking on any strange links that you get from sketchy

457
00:37:13,400 --> 00:37:14,470
sources.

458
00:37:14,480 --> 00:37:20,840
Notice also that many of the exploits listed have to do with taking over devices such as wireless gateways

459
00:37:20,840 --> 00:37:21,840
and the like.

460
00:37:22,010 --> 00:37:30,140
If your goal is persistent access or to hack other machines on the target's network this would be your

461
00:37:30,140 --> 00:37:31,570
focus right here.

462
00:37:31,580 --> 00:37:34,370
There are a lot of different attacks that can be performed.

463
00:37:34,430 --> 00:37:40,180
A normal user would just browse the Web site like normal and would never really know.

464
00:37:40,230 --> 00:37:42,990
Okay that was all a lot to take in.

465
00:37:43,280 --> 00:37:46,960
And we've really only just scratched the surface.

466
00:37:46,970 --> 00:37:52,850
Hopefully you have enough information now that you can experiment with the various modules and see what

467
00:37:52,850 --> 00:37:54,770
they do against a virtual box.

468
00:37:54,830 --> 00:38:00,870
However I bet you're still wondering what beef is doing in a module dedicated to metal spoil.

469
00:38:01,100 --> 00:38:08,680
After all there really only appears to be a grand total of one Metis Floyd exploit.

470
00:38:09,860 --> 00:38:12,070
Which doesn't work very well by the way.

471
00:38:12,080 --> 00:38:19,750
So now we're going to see how to integrate Mideast Floyd into beef before we begin.

472
00:38:19,750 --> 00:38:23,890
It's going to be necessary to completely reboot.

473
00:38:24,100 --> 00:38:27,410
We want everything fresh before we do this.

474
00:38:27,460 --> 00:38:31,330
So I'm going to pause the recording and resume as soon as that is done.

475
00:38:31,420 --> 00:38:37,060
Once the reboot is complete the first thing we're going to need to do is open up a terminal window and

476
00:38:37,060 --> 00:38:44,240
from within this window we're going to navigate over the CB forward slash user forward slash share floor

477
00:38:44,250 --> 00:38:57,130
slash beef dash X SS and we'll list files you can see that we have a file called config dot y AML we're

478
00:38:57,130 --> 00:39:03,040
going to need to edit this with a text editor in this case leaf pad as the first step to getting met

479
00:39:03,040 --> 00:39:15,700
a split it to interact with beef so we're gonna do leaf pad config dot why am AML once open we're gonna

480
00:39:15,700 --> 00:39:25,120
do a search with control F to find the entry for metal split here we can see it and we're going to change

481
00:39:25,510 --> 00:39:36,270
underneath met a split where it says enable false we're going to change false to true once done we'll

482
00:39:36,270 --> 00:39:41,030
go to file and we'll save it then we can close out of this.

483
00:39:41,030 --> 00:39:53,380
Now we need to go in to see these extensions will list files we can see a folder called a split so we'll

484
00:39:53,380 --> 00:40:00,710
see into it list files once again and here we can see a second configuration file.

485
00:40:00,720 --> 00:40:04,220
And we're also going to need to edit this one in the same way.

486
00:40:04,230 --> 00:40:07,200
So leaf pad config dot.

487
00:40:07,210 --> 00:40:08,490
Why now.

488
00:40:08,590 --> 00:40:17,100
And we're going to want to keep the user name and password the same unless you changed these defaults

489
00:40:17,100 --> 00:40:18,500
within medicine Floyd.

490
00:40:18,570 --> 00:40:24,210
We also want to make sure that this says enable true under host.

491
00:40:24,210 --> 00:40:34,890
We need to change to our local IP or public IP if we're doing this online noting the port number.

492
00:40:34,950 --> 00:40:42,750
If port forwarding is necessary we'll also need to change the callback host to the same IP that we just

493
00:40:42,750 --> 00:40:43,220
used

494
00:40:45,920 --> 00:40:52,430
this being done save the file and close it.

495
00:40:52,690 --> 00:40:57,860
And remember if you need your network IP just use I.F. config.

496
00:40:57,880 --> 00:41:08,290
Now we go back three times into user share so CDE two periods and a forward slash three times puts us

497
00:41:08,290 --> 00:41:10,050
in two user share.

498
00:41:10,240 --> 00:41:16,090
And from here we're going to do CDE met a spoilt dashed framework

499
00:41:20,360 --> 00:41:22,850
and we wanted to see these config

500
00:41:25,830 --> 00:41:32,050
and the final file that we need to edit is going to be database y m l so.

501
00:41:32,060 --> 00:41:35,250
Leaf pad database stored.

502
00:41:35,260 --> 00:41:38,710
Y am l in here.

503
00:41:38,710 --> 00:41:45,540
You want to make absolutely sure that the database and the user name both say MSF again.

504
00:41:45,580 --> 00:41:50,110
If you changed the defaults you'll need to change these values.

505
00:41:50,110 --> 00:41:52,020
Otherwise everything is fine.

506
00:41:52,270 --> 00:41:57,240
Save if necessary and then close.

507
00:41:57,240 --> 00:42:03,390
Now I know that this is a pain but we have to restart Cally one more time.

508
00:42:03,390 --> 00:42:08,550
So again I'm going to pause the recording and resume it as soon as the restart is complete.

509
00:42:08,580 --> 00:42:08,880
All right.

510
00:42:08,880 --> 00:42:15,330
And once the second restart is complete we're gonna go ahead and open up a second terminal window and

511
00:42:15,330 --> 00:42:25,080
we're going to type M S F D.B. space i n i t and this may take some time.

512
00:42:25,420 --> 00:42:29,230
We're going to re initialize the Mets plate framework database.

513
00:42:29,320 --> 00:42:30,250
This done.

514
00:42:30,430 --> 00:42:34,600
We're gonna go ahead and we're gonna load up MSF console

515
00:42:36,990 --> 00:42:43,410
notice that we didn't actually need to start post rescue cell service for this but you can if you want

516
00:42:43,410 --> 00:42:44,360
to.

517
00:42:44,430 --> 00:42:46,860
It's not really necessary in this case.

518
00:42:47,040 --> 00:42:55,190
This done will once again run an IFR config to make sure that our network address is not changed and

519
00:42:55,190 --> 00:42:56,370
it has not.

520
00:42:56,390 --> 00:43:11,120
So we're going to do load space M S G bar P C space capital S server capital H Host All one word equals

521
00:43:13,320 --> 00:43:16,150
and we're going to give it our network IP

522
00:43:20,230 --> 00:43:34,390
and then we're going to do another space capital P pass equals all lowercase ABC 1 2 3 which was our

523
00:43:34,720 --> 00:43:43,690
default met a split password and do be aware that this is case sensitive once you hit enter the plugin

524
00:43:43,710 --> 00:43:45,640
will be successfully loaded.

525
00:43:45,660 --> 00:43:49,530
Last but not least we need to load a beef once again.

526
00:43:49,530 --> 00:43:56,800
Now it is very important that this time we load it from the terminal and not the shortcut.

527
00:43:56,820 --> 00:44:04,320
Remember we are integrating it with MSF console and transferring exploits into beef and I've noticed

528
00:44:04,320 --> 00:44:11,340
that trying to do this any other way such as through the shortcut leads to at the very best failure

529
00:44:11,340 --> 00:44:12,920
and often a very big mess.

530
00:44:12,930 --> 00:44:16,860
So we're gonna open up a second terminal window now in the new terminal window.

531
00:44:16,860 --> 00:44:26,960
We're going to go to city for its last user flip forward slash share forward slash beef dash X SS files

532
00:44:28,110 --> 00:44:32,890
and you may remember from the start of the video that I emphasized the importance of running beef this

533
00:44:32,890 --> 00:44:35,520
way and this is why we do it.

534
00:44:35,530 --> 00:44:36,840
So we're gonna do.

535
00:44:37,030 --> 00:44:39,550
Period forward slash beef

536
00:44:43,400 --> 00:44:52,460
successfully connected with metal split loading modules from metal split reloading exploits rather.

537
00:44:52,930 --> 00:44:58,360
And now it's going to add in all of the exploits that came with metal splits so this may take some time

538
00:44:59,290 --> 00:45:00,780
depending on the speed of your system.

539
00:45:01,830 --> 00:45:07,920
And the beef server has successfully loaded but notice that the browser did not automatically open when

540
00:45:07,920 --> 00:45:09,450
we loaded beef this way.

541
00:45:09,450 --> 00:45:15,320
So we're going to need to navigate to the user panel UI by hand.

542
00:45:15,500 --> 00:45:22,940
This means that we'll open up our browser of choice and we'll go ahead and navigate to the beef UI.

543
00:45:23,120 --> 00:45:31,230
Now we type beef and beef for the password and remember that when we last logged in we only had that

544
00:45:31,230 --> 00:45:38,320
one exploit under the Met a split folder and that was browser auto pone.

545
00:45:38,400 --> 00:45:42,600
Now we'll click on an offline browsers that we can access the commands tab.

546
00:45:42,600 --> 00:45:50,070
And now as you can see we now have over six hundred exploits in the Met a split folder and just like

547
00:45:50,070 --> 00:45:51,000
in met a split.

548
00:45:51,000 --> 00:45:59,670
A lot of these that you would click on you would set the SRB host the SRB port the type of payload the

549
00:45:59,670 --> 00:46:09,060
L port the R port etc etc to make a long story short with just one single U.R.L. link you can hook a

550
00:46:09,060 --> 00:46:15,570
browser and then the next thing you know you have the ability to attack that computer directly with

551
00:46:15,570 --> 00:46:23,070
men exploited and depending on your target it could actually be this easy to gain direct maturity or

552
00:46:23,070 --> 00:46:30,910
access all from one you RL link beef is an incredibly powerful tool.

553
00:46:31,120 --> 00:46:35,360
It is even more powerful when it is used in conjunction with metal split.

554
00:46:35,440 --> 00:46:39,890
Hopefully it is now clear why this tool was included in this module.

555
00:46:39,910 --> 00:46:46,120
Practice with this tool and employ the proper techniques while using it and you should find it tremendously

556
00:46:46,120 --> 00:46:51,040
helpful for all of your penetration tests before I close out this video.

557
00:46:51,040 --> 00:46:57,250
I once again have to say never use this tool or any other tool or technique demonstrated in these videos

558
00:46:57,640 --> 00:47:03,180
against any target that you do not have written permission from the owner to penetration test.

559
00:47:03,280 --> 00:47:09,820
Although many of these examples given in this video take the perspective of a hacker attempting to unlawfully

560
00:47:09,820 --> 00:47:11,560
break into a system.

561
00:47:11,560 --> 00:47:17,770
This is because we as system administrators need to understand how the bad guys operate so that we can

562
00:47:17,770 --> 00:47:21,700
defend against them and employ the right tools at the right times.

563
00:47:21,730 --> 00:47:26,070
So be ethical and lawful at all times.

564
00:47:26,080 --> 00:47:26,490
Thank you.