1
00:00:01,510 --> 00:00:01,850
OK.

2
00:00:01,880 --> 00:00:05,960
So now we know how to discover access s vulnerabilities.

3
00:00:05,960 --> 00:00:08,970
We haven't seen a good way of exploiting it though.

4
00:00:09,080 --> 00:00:15,680
All we were doing is injecting a very simple code that just displays an alert on screen saying that

5
00:00:15,680 --> 00:00:17,560
this website is vulnerable.

6
00:00:17,570 --> 00:00:20,960
What I want to do now is I want to do something more advanced.

7
00:00:20,960 --> 00:00:26,660
I want to be able to control the victims and do stuff on the target's computers on the people that visit

8
00:00:27,050 --> 00:00:35,060
the vulnerable pages where we inject our code we're going to use beef to do this.

9
00:00:35,060 --> 00:00:40,310
We had a look on beef before and what we're going to do is we're going to use the beef hook your URL

10
00:00:40,640 --> 00:00:47,750
and we're gonna injected into the stored accesses page so that everybody who visits that page will be

11
00:00:47,750 --> 00:00:54,080
hooked to beef and then we'll be able to run all the commands that beef allows us to on the target computer

12
00:00:57,300 --> 00:00:58,590
so I'm gonna start beef here

13
00:01:02,190 --> 00:01:02,480
now.

14
00:01:02,490 --> 00:01:09,580
As you can see logged into the main screen very simple screen and if we look at the online browsers

15
00:01:09,580 --> 00:01:18,480
we have no victims at the moment so in order to hook victims to this framework and gain access to the

16
00:01:18,480 --> 00:01:25,020
functionality of beef you need to inject this particular script instead of the alerts.

17
00:01:25,050 --> 00:01:30,010
Remember the way we were injecting an alert script into the URL or into the page.

18
00:01:30,000 --> 00:01:33,200
We're going to be injecting a script that does the following.

19
00:01:33,230 --> 00:01:35,130
So that contains the following.

20
00:01:35,130 --> 00:01:42,950
So I'm gonna copy this and then I'm gonna go through my vulnerable website remember this could be a

21
00:01:42,950 --> 00:01:49,790
popular Web site or Web site of a company which are doing a pan test for I'm just going to make sure

22
00:01:49,790 --> 00:01:51,860
the security is set to low

23
00:01:56,330 --> 00:01:59,630
and I'm actually going to use this stored excesses

24
00:02:02,720 --> 00:02:13,440
and I'm going to put the name as beef and we'll put the comment as the hook that we got from the terminal.

25
00:02:14,280 --> 00:02:17,440
And I'm going to modify the IP here to my own IP address.

26
00:02:19,400 --> 00:02:25,830
So instead of just IP I'm gonna put my IP address which is 10 2014

27
00:02:27,960 --> 00:02:33,960
and now it's not letting me out any more characters because this field is configured in a way that it

28
00:02:33,960 --> 00:02:36,740
doesn't allow more than this number of characters.

29
00:02:36,810 --> 00:02:43,650
Well we can bypass this very easily by right clicking and going on inspect element and we're going to

30
00:02:43,650 --> 00:02:47,380
modify the max length to instead of 50.

31
00:02:47,550 --> 00:02:51,470
I'm going to set it to 500 and that's it.

32
00:02:51,470 --> 00:03:01,940
Now I can add more stuff so I'm going to close that and I'm going to set it to 10 2014 to 0 7 which

33
00:03:01,940 --> 00:03:06,050
is my current IP and I can get my current IP by doing if config

34
00:03:12,550 --> 00:03:21,660
10 2014 to 0 7 just to confirm and I'm going to sign guestbook and that should make it work.

35
00:03:21,660 --> 00:03:30,120
Now if I go to my target now right now you can see that I have my Linux computer right here has been

36
00:03:30,120 --> 00:03:32,010
hooked as a target.

37
00:03:32,010 --> 00:03:33,720
Now obviously this is not my target.

38
00:03:33,720 --> 00:03:38,450
This is just me and it's the the hope has been executed on my browser.

39
00:03:38,490 --> 00:03:45,450
So our target is actually this Windows device or any person who is going to be visiting this exercise

40
00:03:45,480 --> 00:03:46,580
stored page.

41
00:03:46,710 --> 00:03:52,470
So because this is a third exercise just like we explained the code will be executed on any person who

42
00:03:52,470 --> 00:03:55,130
visits this page.

43
00:03:55,150 --> 00:03:59,650
Now if we go back we should see the Windows device right here.

44
00:03:59,650 --> 00:04:02,950
As you can see and it's shown up in the online browsers.

45
00:04:02,950 --> 00:04:10,360
So we basically have hooked this device and we can run a large number of functions that beef allows

46
00:04:10,360 --> 00:04:16,100
us to do so I'm going to click on my target and I'm gonna go on the commands

47
00:04:18,590 --> 00:04:23,570
so right now I just want to run a specific command which is just an alert command like you were doing

48
00:04:23,570 --> 00:04:24,100
before.

49
00:04:24,230 --> 00:04:31,490
Just to confirm that everything is working so I'm going to go on this one which is create an alert dialog

50
00:04:32,120 --> 00:04:35,830
and you can set the text in here so you can put any text you want.

51
00:04:35,900 --> 00:04:38,470
I'm going to leave it as beef alert dialog.

52
00:04:38,780 --> 00:04:40,670
I'm just going to click on execute

53
00:04:44,140 --> 00:04:50,720
so if we go on our tablet computer we can see that the alert dialog is working now I just did that to

54
00:04:50,720 --> 00:04:53,630
show you that everything is working perfectly.

55
00:04:53,690 --> 00:05:00,260
Now anybody who browses our target Web site the vulnerable Web site will get hooked to beef and you

56
00:05:00,260 --> 00:05:05,090
can run all the commands that we've seen before so all the comments that we've seen and decline side

57
00:05:05,090 --> 00:05:11,780
attacks like getting full access using a fake notification bar using the pretty theft getting the screenshot

58
00:05:11,870 --> 00:05:13,670
injecting a key logger.

59
00:05:13,760 --> 00:05:20,150
You can do all of these attacks on any person who visits the vulnerable page because we injected our

60
00:05:20,150 --> 00:05:24,500
hook into that browser and to that page not into the browser.

61
00:05:24,500 --> 00:05:26,240
And that's part of the page.

62
00:05:26,240 --> 00:05:30,710
So every time the page loads by anyone there will be there will be hooked to beef.