The purpose of this post is to demonstrate how credentials can be stolen by combining 3 techniques: Man-in-The-Middle (MiTM) attack, Browser Hooking, and Social Engineering.
The setup here is that an attacker has (theoretically) gained access to the victim’s network. Obviously there are many ways this could be accomplished but it could be as simple as the attacker and the victim using the same wireless network at a coffee shop.
Attacker box is running Kali Linux with an IP address of 172.17.130.69
Victim is running a fully patched Windows 7 OS with fully patched IE 11 with an IP address of 172.17.130.44
The first thing we do is start up the BeEF Framework on our Kali box. BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.
After it’s running, we need to make note of the “Hook URL” and the “UI URL” that begin with 172.X.X.X.
We login to the BeEF Framework website by browsing to the “UI URL” that we made note of in the previous step. The default username/password is: beef/beef
Once logged in, we see the below screen.
Inside another terminal (don’t close the one used to start up BeEF), we need to discover the default gateway on the network and also a victim in order to perform the MiTM attack. The below command will give us the info we need.
We can also now nmap the subnet to find a suitable victim.
Rather than unnecessarily disclose an entire subnet’s worth of devices for this post, I’m choosing to focus on my Windows 7 test box, which is listed below.
We now have sufficient information to implement our MiTM attack while also simultaneously injecting the “Hook URL” into the victim’s packet stream. The technique used to achieve the MiTM attack is a simple ARP spoof. MiTMf (as seen in the terminal window below) is the tool used to achieve both attacks. I don’t believe this comes with Kali Linux and can be downloaded/installed using apt-get install mitmf (I think).
Below is the output of the executed command.
On our Windows 7 box, we can see/verify/note it’s IP configuration.
Again, on our Window’s 7 box, we open IE 11 – which stupidly defaults to non-secured MSN homepage…
As we do that, we can see on our Kali box that the browser has now been effectively “hooked”.
Now that the browser has been hooked, we have many options available to use within the BeEF Framework. Below I’ve chosen to use a module that will attempt to “trick” (social engineering) the victim into inputting their Facebook credentials into a pop-up window.
Back on our Windows 7 box, we see that the browser has been presented the victim with the credential box.
If the victim inputs anything into the input fields, that data is captured and able to viewed within BeEF – as seen below.