1 1 00:00:00,150 --> 00:00:01,510 In the previous video 2 2 00:00:01,510 --> 00:00:04,620 I showed you how to hook a target to BeEF 3 3 00:00:04,620 --> 00:00:06,460 using a basic hook method, 4 4 00:00:06,460 --> 00:00:08,313 using a HTML page. 5 5 00:00:09,410 --> 00:00:11,180 In this lecture I want to show you 6 6 00:00:11,180 --> 00:00:13,070 a better way of doing this. 7 7 00:00:13,070 --> 00:00:15,753 If you are able to intercept connections. 8 8 00:00:17,260 --> 00:00:20,320 So as I showed you in the network hacking section, 9 9 00:00:20,320 --> 00:00:24,150 we can inject JavaScript code in the target browser 10 10 00:00:24,150 --> 00:00:26,763 if we are able to become the man in the middle. 11 11 00:00:27,610 --> 00:00:30,400 And since BeEF uses JavaScript to code, 12 12 00:00:30,400 --> 00:00:32,990 to hook targets, we can actually use 13 13 00:00:32,990 --> 00:00:35,680 the exact same method we learned earlier 14 14 00:00:35,680 --> 00:00:37,690 to inject BeEF's hooked code 15 15 00:00:37,690 --> 00:00:40,493 in every website the target loads. 16 16 00:00:41,470 --> 00:00:43,510 This will allow us to hook targets 17 17 00:00:43,510 --> 00:00:44,850 and keep them hooked 18 18 00:00:44,850 --> 00:00:47,563 without directly communicating with them. 19 19 00:00:48,720 --> 00:00:51,790 So I have BeEF already running in here 20 20 00:00:51,790 --> 00:00:54,450 and like I said in order to hook targets 21 21 00:00:54,450 --> 00:00:57,560 we're gonna have to inject BeEF's JavaScript code 22 22 00:00:57,560 --> 00:01:00,210 into the browser that they load. 23 23 00:01:00,210 --> 00:01:03,640 So to do this I've included custom JavaScript code 24 24 00:01:03,640 --> 00:01:05,920 in the resources of this lecture, 25 25 00:01:05,920 --> 00:01:08,450 so first of all download it from there. 26 26 00:01:08,450 --> 00:01:11,250 I already have it downloaded here. 27 27 00:01:11,250 --> 00:01:12,580 And before using this, 28 28 00:01:12,580 --> 00:01:14,733 I'm gonna double click it to modify it. 29 29 00:01:15,660 --> 00:01:18,710 So as you can see, it's actually very very simple code. 30 30 00:01:18,710 --> 00:01:22,070 It's gonna create a new element in every page, 31 31 00:01:22,070 --> 00:01:23,900 which will load BeEF's code 32 32 00:01:23,900 --> 00:01:27,653 and it will append this element to the head of the page. 33 33 00:01:28,770 --> 00:01:31,340 So the only thing you need to modify right here 34 34 00:01:31,340 --> 00:01:34,810 is your IP and you wanna replace that with the IP of the 35 35 00:01:34,810 --> 00:01:37,250 carling machine that is running BeEF. 36 36 00:01:37,250 --> 00:01:40,390 As you know, you can do IP config to get your IP. 37 37 00:01:40,390 --> 00:01:42,460 I already know what my IP is, 38 38 00:01:42,460 --> 00:01:44,490 so I'm gonna put it here. 39 39 00:01:44,490 --> 00:01:45,323 10. 40 40 00:01:45,323 --> 00:01:46,156 20. 41 41 00:01:46,156 --> 00:01:46,989 14. 42 42 00:01:46,989 --> 00:01:48,360 207 43 43 00:01:48,360 --> 00:01:50,480 So I'm gonna save this, Control+S 44 44 00:01:50,480 --> 00:01:52,780 and quit it, Control+Q. 45 45 00:01:52,780 --> 00:01:55,350 Now our JavaScript code is ready 46 46 00:01:55,350 --> 00:01:58,080 and all we have to do is literally inject it 47 47 00:01:58,080 --> 00:02:00,370 exactly as I showed you before, 48 48 00:02:00,370 --> 00:02:04,150 when we injected the simply alert JavaScript code. 49 49 00:02:04,150 --> 00:02:05,850 So all we have to do right now 50 50 00:02:05,850 --> 00:02:08,880 is put the location of this file 51 51 00:02:08,880 --> 00:02:11,830 in the hstshijack caplet. 52 52 00:02:11,830 --> 00:02:13,170 I'm going through this quickly 53 53 00:02:13,170 --> 00:02:16,260 because I spent a full lecture showing how to use this. 54 54 00:02:16,260 --> 00:02:19,390 So if you don't remember how JavaScript injection works. 55 55 00:02:19,390 --> 00:02:21,543 Please go back and revise that lecture. 56 56 00:02:22,470 --> 00:02:24,220 So I'm gonna go to location 57 57 00:02:24,220 --> 00:02:27,003 where I have the hstshijack caplet. 58 58 00:02:28,130 --> 00:02:29,740 Which is as shown before 59 59 00:02:29,740 --> 00:02:31,643 in user, share, bettercap, caplets. 60 60 00:02:33,350 --> 00:02:34,800 This is the modified one. 61 61 00:02:34,800 --> 00:02:37,940 The one that I included in the resources of that lecture. 62 62 00:02:37,940 --> 00:02:39,510 Not the one that comes with bettercap. 63 63 00:02:39,510 --> 00:02:42,960 Cause as I mentioned, the one that comes with bettercap 64 64 00:02:42,960 --> 00:02:44,823 does not work as we want it. 65 65 00:02:45,900 --> 00:02:47,180 So what I wanna do right now, 66 66 00:02:47,180 --> 00:02:51,230 is modify the hstshijack.cap file 67 67 00:02:51,230 --> 00:02:55,050 As you know if we want to inject a custom JavaScript code, 68 68 00:02:55,050 --> 00:02:58,540 we have to modify the payload in here 69 69 00:02:58,540 --> 00:03:00,900 and as you can see it's already injecting 70 70 00:03:00,900 --> 00:03:04,530 a JavaScript code called keylogger.js 71 71 00:03:04,530 --> 00:03:07,750 So we want to add our custom JavaScript code. 72 72 00:03:07,750 --> 00:03:09,640 So I'm gonna add a comma, 73 73 00:03:09,640 --> 00:03:13,520 followed by the location of the file that I want to inject. 74 74 00:03:13,520 --> 00:03:16,120 Which as you know, I have my file in downloads. 75 75 00:03:16,120 --> 00:03:19,080 In here and it's called inject_beef.js 76 76 00:03:20,070 --> 00:03:23,690 So first of all I'm actually gonna add a star+colon 77 77 00:03:23,690 --> 00:03:26,060 to say that I want to inject this file 78 78 00:03:26,060 --> 00:03:29,580 into every page the target loads 79 79 00:03:29,580 --> 00:03:33,330 and then I'm gonna put the full path to my JavaScript file. 80 80 00:03:33,330 --> 00:03:35,170 Which is as I showed you, 81 81 00:03:35,170 --> 00:03:40,170 in root/Downloads/inject_beef.js 82 82 00:03:41,950 --> 00:03:43,370 It's as simple as that. 83 83 00:03:43,370 --> 00:03:45,010 I'm gonna save it, Control+S 84 84 00:03:45,010 --> 00:03:47,350 and quit, Control+Q 85 85 00:03:47,350 --> 00:03:49,160 and perfect, so that's done 86 86 00:03:49,160 --> 00:03:50,760 and all we need to right now, 87 87 00:03:50,760 --> 00:03:55,230 is run bettercap to inject this file into every website 88 88 00:03:55,230 --> 00:03:57,030 the target loads. 89 89 00:03:57,030 --> 00:04:00,160 So we're gonna run bettercap using the exact same command 90 90 00:04:00,160 --> 00:04:02,050 that we used to use before. 91 91 00:04:02,050 --> 00:04:04,110 We're setting the interface to the interface 92 92 00:04:04,110 --> 00:04:06,610 that's connected to the target network 93 93 00:04:06,610 --> 00:04:09,610 and I'm gonna giving it a caplet to load 94 94 00:04:09,610 --> 00:04:11,400 and the caplet that I want to load, 95 95 00:04:11,400 --> 00:04:12,740 is this spoof caplet 96 96 00:04:12,740 --> 00:04:14,810 because as I showed you earlier, 97 97 00:04:14,810 --> 00:04:17,580 this caplet will run in a IP spoofing attack 98 98 00:04:17,580 --> 00:04:19,983 putting me in the middle of the connection. 99 99 00:04:21,150 --> 00:04:21,983 And perfect. 100 100 00:04:21,983 --> 00:04:24,940 As you can see the caplet runs with no errors. 101 101 00:04:24,940 --> 00:04:28,440 So right now I should be intercepting connections 102 102 00:04:28,440 --> 00:04:29,790 and the next thing I wanna do, 103 103 00:04:29,790 --> 00:04:32,870 is to load the hstshijack caplet. 104 104 00:04:32,870 --> 00:04:35,410 So I can bypass HTTPS. 105 105 00:04:35,410 --> 00:04:38,030 Partially bypass HSTS 106 106 00:04:38,030 --> 00:04:42,430 and inject the JavaScript code that we just configured. 107 107 00:04:42,430 --> 00:04:46,600 The code that's in the inject_beef JavaScript file. 108 108 00:04:46,600 --> 00:04:48,660 So I'm just gonna type hs 109 109 00:04:48,660 --> 00:04:50,960 and press Tab to auto complete. 110 110 00:04:50,960 --> 00:04:54,170 Hit Enter and everything runs with no errors. 111 111 00:04:54,170 --> 00:04:55,430 So that's perfect. 112 112 00:04:55,430 --> 00:04:58,800 Now I should be intercepting all the data that's sent 113 113 00:04:58,800 --> 00:05:00,760 and received by the target 114 114 00:05:00,760 --> 00:05:04,820 and because we configured bettercap to inject the hook code 115 115 00:05:04,820 --> 00:05:06,810 in every page that loads. 116 116 00:05:06,810 --> 00:05:10,040 We should be able to hook our target to BeEF, 117 117 00:05:10,040 --> 00:05:12,930 as soon as they load any website. 118 118 00:05:12,930 --> 00:05:15,310 So let's go to the target computer 119 119 00:05:15,310 --> 00:05:17,410 and it's actually always a good idea 120 120 00:05:17,410 --> 00:05:20,530 to test against normal HTTP pages first. 121 121 00:05:20,530 --> 00:05:22,310 Against the simplest case 122 122 00:05:22,310 --> 00:05:24,270 but I've already tested this before 123 123 00:05:24,270 --> 00:05:26,670 and I know it works, so I'm gonna go ahead 124 124 00:05:26,670 --> 00:05:30,783 and test it against a HTTPS page straight away. 125 125 00:05:31,680 --> 00:05:34,820 It's also a good idea to remove the browsing data 126 126 00:05:34,820 --> 00:05:36,530 but I've already done that. 127 127 00:05:36,530 --> 00:05:39,690 So I'm just gonna go to stackoverflow.com 128 128 00:05:41,290 --> 00:05:44,330 as you can see the page is loading in normal HTTP, 129 129 00:05:44,330 --> 00:05:47,330 even though it uses HTTPS by default. 130 130 00:05:47,330 --> 00:05:52,330 That means our hstshijack is downgrading HTTPS to HTTP 131 131 00:05:52,640 --> 00:05:56,630 and it should have also injected my inject_beef code. 132 132 00:05:56,630 --> 00:05:58,800 So let's go to BeEF to confirm 133 133 00:05:58,800 --> 00:06:01,280 and see if we hooked the target. 134 134 00:06:01,280 --> 00:06:04,720 And perfect, as you can see we have a new online browser 135 135 00:06:04,720 --> 00:06:06,230 showing up in here. 136 136 00:06:06,230 --> 00:06:07,950 Which we can communicate with 137 137 00:06:07,950 --> 00:06:09,480 and run commands on, 138 138 00:06:09,480 --> 00:06:11,733 as I'm gonna show you in the next lectures. 139 139 00:06:13,240 --> 00:06:15,950 So now the BeEF hooked code would be injected 140 140 00:06:15,950 --> 00:06:18,710 in every website the target loads. 141 141 00:06:18,710 --> 00:06:21,310 This will work against HTTP websites, 142 142 00:06:21,310 --> 00:06:23,170 HTTPS websites 143 143 00:06:23,170 --> 00:06:26,730 and even partially work against HSTS websites, 144 144 00:06:26,730 --> 00:06:28,270 like I showed you before. 145 145 00:06:28,270 --> 00:06:31,690 If the target goes to HSTS website 146 146 00:06:31,690 --> 00:06:35,463 to a search engine that only uses normal HTTPS.