Powered by Blogger.
Home » » Module 06: Network Penetration Testing Methodology-Internal 13

Module 06: Network Penetration Testing Methodology-Internal 13

Written By AKADEMY on Wednesday, July 3, 2019 | 11:19 AM

Exercise 13: Penetration Testing Vulnerable Machines and Creating a Botnet

Scenario

BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser. Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and the client system and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.
The objective of this lab is to help students learn how to:
  • Use the Browser Exploitation Framework (BeEF)
  • Attain Credentials of a user account in plain text
  • Establish a botnet of vulnerable machines
Lab Duration25 Minutes
  1. Click Kali Linux (Internal Network).
    If the Kali Linux lock screen appears, click on the screen and press Enter. If it does not appear, skip to the next task.
    Screenshot
  2. Type root in the Username field and click Next.
    Screenshot
  3. Type toor in the Password field and click Sign In.
    Screenshot
  4. Launch a command line terminal, type the command cd /usr/share/beef-xss and press Enter. This changes the present working directory from root to beef-xss.
    Screenshot
  5. Type the command ./beef and press Enter. This launches browser exploitation framework(BeEF).
    To Access to BeEf UI, copy the link http://172.20.20.21:3000/ui/panel.
    You will have to access this page in a web browser and log in to it.
    Screenshot
  6. Launch a web browser and paste the copied URL in the address bar and press Enter.
    BeEF login page appears on the browser. Enter the following credentials to log in to the web application and click the Login button:
    Username: beef
    Password: beef
    Screenshot
  7. The BeEF home page appears on the browser window. Under the Getting Started section, you will observe two "here" links.
    Right-click the first here link and select Copy Link Location.
    Now, you need to paste the link in the Contact Us page of LuxuryTreats website.
    Screenshot
  8. Now, open a new tab in the web browser and browse the webpage http://www.luxurytreats.com/Contactus.aspx.
    Screenshot
  9. Contact Us page appears; type a fake email in the Email field, paste the link (http://172.20.20.21:3000/demos/basic.html) copied from the BeEF framework in the Comment field and click Save Comment.
    Screenshot
  10. A comment link is posted on the page. Now, browse the webpage from other machines and open the URL http://172.20.20.21:3000/demos/basic.html. As soon as you open the webpage, the browser exploitation framework running in this machine attains connection with the machine. This way, a botnet will be created.
    Screenshot
  11. Log on to the Database Server Subnet Bmachine, click Database Server Subnet B and close the Server Manager window.
    Screenshot
  12. Launch Firefox web browser and browse the URL http://www.luxurytreats.com/Contactus.aspx.
    You will observe the Browser Exploitation Framework link in the Comment field. Copy the link.
    Screenshot
  13. Open a new tab, paste the URL and press Enter. As soon as you open this webpage, BeEF running in Kali Linux (Internal Network) machine establishes a connection with this machine.
    Screenshot
  14. Select Advertisement Dept. Subnet D from the Resources pane, log in to it and close the ServerManager window.
    Launch Chrome web browser and browse the URL http://www.luxurytreats.com/Contactus.aspx.
    You will observe the Browser Exploitation Framework link in the Comment field, copy the link.
    Screenshot
  15. Open a new tab, paste the URL and press Enter. As soon as you open this webpage, BeEF running in the Kali Linux (Internal Network) machine establishes a connection with this machine.
    Screenshot
  16. Select Sales Department Subnet D from the Resources pane and log in to it using the credentials Admin/test@123.
    Once you login to the machine, if a Networkbanner appears at the right side corner of the Desktop, click Yes.
    Launch Chrome web browser and browse the URL http://www.luxurytreats.com/Contactus.aspx.
    You will observe the Browser Exploitation Framework link in the Comment field, copy the link.
    Screenshot
  17. Open a new tab, paste the URL and press Enter. As soon as you open this webpage, BeEF running in the Kali Linux (Internal Network) machine establishes a connection with this machine.
    Screenshot
  18. Click Kali Linux (Internal Network), switch to the tab in which you are logged in to BeEF and click Logs tab.
    Screenshot
  19. You will observe that all the three machines Database Server Subnet BAdvertisement Dept. Subnet D and Sales Department Subnet D are connected to the Browser Exploitation Framework (BeEF) by observing the logs.
    You can observe them even in the left pane under the 172.20.20.21 directory (under Online Browsers).
    Screenshot
  20. This way, if anyone visits the page, BeEF gains access to their machines.
In this lab, you have learned how to:
  • Use the Browser Exploitation Framework (BeEF)
  • Attain Credentials of a user account in plain text
  • Establish a botnet of vulnerable machines
Share this article :

0 comments:

Post a Comment

 
Trung Tâm Đào Tạo An Toàn Thông Tin Học Hacker Mũ Xám Online | Học An Ninh Mạng Trực Tuyến | CEH VIỆT NAM
Copyright © 2013. HACKER MŨ XÁM - All Rights Reserved
Web Master @ Võ Sĩ Máy Tính
Contact @ Đông Dương ICT