1 1 00:00:01,510 --> 00:00:02,650 Okay, so now we know 2 2 00:00:02,650 --> 00:00:05,910 how to discover XSS vulnerabilities. 3 3 00:00:05,910 --> 00:00:09,020 We haven't seen a good way of exploiting it though. 4 4 00:00:09,020 --> 00:00:12,110 All we were doing is injecting a very simple code 5 5 00:00:12,110 --> 00:00:15,330 that just displays an alert on screen saying 6 6 00:00:15,330 --> 00:00:17,500 that this website is vulnerable. 7 7 00:00:17,500 --> 00:00:20,960 What I want to do now is I wanna do something more advanced, 8 8 00:00:20,960 --> 00:00:23,150 I wanna be able to control the victims 9 9 00:00:23,150 --> 00:00:25,500 and do stuff on the targets computers, 10 10 00:00:25,500 --> 00:00:28,420 on the people that visit the vulnerable pages 11 11 00:00:28,420 --> 00:00:30,083 where we inject our code. 12 12 00:00:32,230 --> 00:00:35,040 We're going to use BeEF to do this. 13 13 00:00:35,040 --> 00:00:36,780 We had a look on BeEF before, 14 14 00:00:36,780 --> 00:00:38,260 and what we're going to do is, 15 15 00:00:38,260 --> 00:00:40,590 we're gonna use the BeEF hook URL, 16 16 00:00:40,590 --> 00:00:44,290 and we're gonna inject it into the stored XSS page. 17 17 00:00:44,290 --> 00:00:47,003 So that everybody who visits that page, 18 18 00:00:47,003 --> 00:00:48,930 will be hooked to BeEF, 19 19 00:00:48,930 --> 00:00:51,400 and then we'll be able to run all the commands 20 20 00:00:51,400 --> 00:00:54,183 that BeEF allows us to, on the target computer. 21 21 00:00:57,250 --> 00:00:58,743 So I'm gonna start BeEF here. 22 22 00:01:02,170 --> 00:01:04,920 Now, as you can see, logged into the main screen. 23 23 00:01:04,920 --> 00:01:06,053 Very simple screen. 24 24 00:01:07,600 --> 00:01:09,550 And if we look at the online browsers, 25 25 00:01:09,550 --> 00:01:11,403 we have no victims at the moment. 26 26 00:01:13,300 --> 00:01:16,120 So in order to hook victims to this framework 27 27 00:01:16,120 --> 00:01:20,910 and gain access to the functionality of BeEF, 28 28 00:01:20,910 --> 00:01:23,960 you need to inject this particular script 29 29 00:01:23,960 --> 00:01:24,910 instead of the alert. 30 30 00:01:24,910 --> 00:01:27,630 So remember the way we were injecting an alert script 31 31 00:01:27,630 --> 00:01:29,960 into a URL, or into the page, 32 32 00:01:29,960 --> 00:01:33,180 we're gonna be injecting a script that does the following, 33 33 00:01:33,180 --> 00:01:35,070 so that contains the following. 34 34 00:01:35,070 --> 00:01:36,383 So I'm gonna copy this. 35 35 00:01:37,920 --> 00:01:40,270 And then I'm gonna go to my vulnerable website. 36 36 00:01:41,910 --> 00:01:44,290 Remember this could be a popular website, 37 37 00:01:44,290 --> 00:01:47,473 or a website of a company which you're doing a pen test for. 38 38 00:01:48,760 --> 00:01:52,023 I'm just gonna make sure the security is set to low. 39 39 00:01:56,300 --> 00:01:59,763 And I'm actually gonna use the stored XSS. 40 40 00:02:02,690 --> 00:02:06,883 And I'm going to put the name as BeEF, 41 41 00:02:08,120 --> 00:02:10,970 and we'll put the comment as the hook 42 42 00:02:10,970 --> 00:02:14,200 that we got from the terminal. 43 43 00:02:14,200 --> 00:02:17,363 And I'm gonna modify the IP here to my own IP address. 44 44 00:02:19,380 --> 00:02:21,990 So instead of just IP, I'm gonna put my IP address, 45 45 00:02:21,990 --> 00:02:25,583 which is 10.20.14. 46 46 00:02:27,900 --> 00:02:30,550 And now it's not letting me add any more characters, 47 47 00:02:30,550 --> 00:02:33,660 because this field is configured in a way 48 48 00:02:33,660 --> 00:02:36,800 that it doesn't allow more than this number of characters. 49 49 00:02:36,800 --> 00:02:40,000 But we can bypass this very easily by right-clicking, 50 50 00:02:40,000 --> 00:02:41,743 and going on Inspect Element. 51 51 00:02:42,890 --> 00:02:45,870 And we're gonna modify the max length 52 52 00:02:45,870 --> 00:02:48,993 to instead of 50, I'm gonna set it to 500. 53 53 00:02:50,720 --> 00:02:52,700 And that's it, now I can add more stuff, 54 54 00:02:52,700 --> 00:02:57,337 so I'm gonna close that, and I'm gonna say to 10.20.14.207, 55 55 00:03:01,700 --> 00:03:02,790 which is my current IP. 56 56 00:03:02,790 --> 00:03:05,923 Now I can get my current IP by doing ifconfig. 57 57 00:03:12,510 --> 00:03:14,763 10.20.14.207, just to confirm. 58 58 00:03:15,910 --> 00:03:18,333 And I'm gonna Sign Guestbook. 59 59 00:03:19,640 --> 00:03:21,590 And that should make it work. 60 60 00:03:21,590 --> 00:03:24,623 Now if I go to my target. 61 61 00:03:25,690 --> 00:03:27,140 Now, right now you can see 62 62 00:03:27,140 --> 00:03:29,660 that I have my Linux computer right here, 63 63 00:03:29,660 --> 00:03:32,010 has been hooked as a target. 64 64 00:03:32,010 --> 00:03:33,700 Now obviously, this is not my target, 65 65 00:03:33,700 --> 00:03:37,300 this is just me, and the hook has been executed 66 66 00:03:37,300 --> 00:03:38,440 on my browser. 67 67 00:03:38,440 --> 00:03:41,300 So, our target's actually this Windows device, 68 68 00:03:41,300 --> 00:03:44,640 or any person who is going to be visiting 69 69 00:03:44,640 --> 00:03:46,690 this XSS stored page. 70 70 00:03:46,690 --> 00:03:49,690 So because this is a stored XSS just like we explained, 71 71 00:03:49,690 --> 00:03:52,300 the code will be executed on any person 72 72 00:03:52,300 --> 00:03:53,743 who visits this page. 73 73 00:03:55,110 --> 00:03:57,870 Now if we go back, we should see 74 74 00:03:57,870 --> 00:04:00,600 the Windows device right here, as you can see. 75 75 00:04:00,600 --> 00:04:02,950 And it's showing up in the online browsers, 76 76 00:04:02,950 --> 00:04:06,270 so we basically have hooked this device, 77 77 00:04:06,270 --> 00:04:09,240 and we can run a large number of functions 78 78 00:04:09,240 --> 00:04:10,993 that BeEF allows us to do. 79 79 00:04:12,270 --> 00:04:13,870 So I'm gonna click on my target, 80 80 00:04:14,720 --> 00:04:16,370 and I'm gonna go on the Commands. 81 81 00:04:18,560 --> 00:04:21,240 So, right now, I just wanna run a specific command, 82 82 00:04:21,240 --> 00:04:24,210 which is just an alert command like we were doing before, 83 83 00:04:24,210 --> 00:04:26,713 just to confirm that everything is working. 84 84 00:04:28,520 --> 00:04:29,910 So I'm gonna go on this one, 85 85 00:04:29,910 --> 00:04:32,060 which is create an alert dialogue. 86 86 00:04:32,060 --> 00:04:34,080 And you can set the text in here, 87 87 00:04:34,080 --> 00:04:35,850 so you can put any text you want. 88 88 00:04:35,850 --> 00:04:38,410 I'm gonna leave it as BeEF Alert Dialog, 89 89 00:04:38,410 --> 00:04:40,703 but I'm just gonna click on Execute. 90 90 00:04:44,100 --> 00:04:45,780 So if we go on our tiny computer, 91 91 00:04:45,780 --> 00:04:48,080 we can see that the alert dialogue is working. 92 92 00:04:49,688 --> 00:04:51,520 Now I just did that to show you 93 93 00:04:51,520 --> 00:04:53,640 that everything is working perfectly. 94 94 00:04:53,640 --> 00:04:57,130 Now anybody who browses our target website, 95 95 00:04:57,130 --> 00:04:59,780 the vulnerable website, will get hooked to BeEF, 96 96 00:04:59,780 --> 00:05:02,620 and you can run all the commands that we seen before, 97 97 00:05:02,620 --> 00:05:05,490 so all the commands that we seen in the client-side attacks, 98 98 00:05:05,490 --> 00:05:09,220 like in Full Access using a fake notification bar. 99 99 00:05:09,220 --> 00:05:11,800 You're using the Pretty Theft, getting the screenshot, 100 100 00:05:11,800 --> 00:05:13,700 injecting a keylogger. 101 101 00:05:13,700 --> 00:05:16,730 You can do all of these attacks on any person 102 102 00:05:16,730 --> 00:05:18,830 who visits the vulnerable page, 103 103 00:05:18,830 --> 00:05:22,950 because we injected our hook into that page, 104 104 00:05:22,950 --> 00:05:26,210 not into the browser, and it's part of the page, 105 105 00:05:26,210 --> 00:05:28,500 so every time the page loads by anyone, 106 106 00:05:28,500 --> 00:05:30,853 they will be hooked to BeEF.