Creating a Cyber Attack – Part 5 (Post Exploitation – With BeeF )

In this video we pick up where we left off in Part 4. We have socially engineered our victim to visit our malicious website which has provided us with an initial connection to the victim machine. Attacker on the right, and victim on the left.

If you have not read the previous explanations or watched the videos I recommend taking a look as all the steps are shown and explained in detail, so if you are not sure about something shown here, go back and read the previous guides.

We will show a few simple techniques you can use to get a meterpreter shell to get a better foothold on the machine and maybe achieve persistence (permanent connection), and gather other information from the victim machine post exploit. Our victim machine has our malicious site and Facebook open in their browser.

The BeeF modules we will be going through are;

  1. Get Clipboard
  2. Detect Social Networks
  3. Pretty Theft
  4. Fake Notification Bar
  5. Fake Flash Update

Let’s get straight into it;

Get Clipboard – This is a simple one, and is under “Hosts” in the folder structure. The module will basically grab anything that is stored on the victim machines clipboard. In our example the victim has copied their credit card number to use in a website to buy something. We select the module and run “execute”, then after it has grabbed the info it is displayed in the window as shown.

Detect Social Networks – Another self-explanatory one here. This module is below “Network” in the folder structure and allows us to see which social networks the victim is logged into (as in real life you won’t see their desktop obviously). Why do we want this? Well if you know what they are logged into you can use the next module “Pretty Theft” to steal login details. We simply click execute on this, nothing else to configure.

Pretty Theft – This module is really simple to use, and basically provides us with some login box templates which we can pop-up on the victims screen to attempt to trick them into thinking their session has expired and they need to login again. Pretty Theft is under “Social Engineering” in the folder structure, and is simple to configure offering only basic config options. In our example we know the victim is logged into Facebook so we pop-up the Facebook template, then collect the username and password in the window as shown.

We then do the same, except we change the pop-up to a Windows themed box to try and get the Windows password of the victim as well.

Fake Notification Bar (IE) – This module will show a fake notification with a message and payload of your choice at the top of the victim machines browser. We keep the standard message, but specify our custom payload which will allow us to get a meterpreter shell on the victim allowing us more access to the machine. We fire up our listener in metasploit then show the pop-up which the victim clicks and installs our malicious payload. We then check metasploit and can see we have an active connection, which we confirm by running sysinfo.

Fake Flash Update – This works in much the same way as the module above, and can also be found under Social Engineering. We provide the URL of the custom payload we want to deliver and the location of the pop-up image we wish to use, in this case Flash, but you could use any update pop-up, we are just using flash in this demo. Once you have added your URLs again just hit execute and the victim will receive your pop-up.

That’s all done in under 5 minutes, so you can see just how scary this is and how quickly it can go wrong. We are going to leave this here, and in the next video we will be covering post exploitation using Metasploit and meterpreter.